|
<div id="post_message_808040">
Two malicious NPM packages posing as WhatsApp development tools have been discovered deploying destructive data-wiping code that recursively deletes files on a developer's computers.<br/> <br/> Two malicious NPM packages currently available in the registry target WhatsApp developers with destructive data-wiping code.<br/> <br/> The packages, <a href="https://socket.dev/blog/malicious-npm-packages-target-whatsapp-developers-with-remote-kill-switch" target="_blank">discovered by researchers at Socket</a>, masquerade as WhatsApp socket libraries and were downloaded over 1,100 times since their publication last month.<br/> <br/> Despite Socket having filed takedown requests and flagging the publisher, nayflore, both remain available at the time of writing.<br/> <br/> The names of the two malicious packages are <a href="https://www.npmjs.com/package/naya-flore" target="_blank">naya-flore</a> and<a href="https://www.npmjs.com/package/nvlore-hsc" target="_blank"> nvlore-hsc</a>, though the same publisher has submitted more on NPM, like nouku-search, very-nay, naya-clone, node-smsk, and @veryflore/disc.<br/> <br/> Although these additional five packages are not currently malicious, extreme caution is advised, as an update pushed at any time could inject dangerous code.<br/> <br/> All these packages mimic legitimate WhatsApp developer libraries used for building bots and automation tools around the WhatsApp Business API.<br/> <br/> Socket notes that these libraries have recently experienced a significant surge in demand, as more businesses utilize WhatsApp's Cloud API for customer communication.<br/> <br/> <b><font size="4"><font color="White">Wiper code</font></font></b><br/> <br/> Both naya-flore and nvlore-hs contain a function called 'requestPairingCode,' that is supposed to handle WhatsApp pairing, but which retrieves a base64 JSON file from a GitHub address.<br/> <br/> The JSON file contains a list of Indonesian phone numbers that act as a kill switch, excluding owners of these numbers from the malicious functionality.<br/> <br/> For the rest (valid targets), the code executes the 'rm -rf *' command, which deletes all files recursively in the current directory, effectively wiping code from the developer's system.<br/> <br/> <img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/August/wiper.jpg"/><br/> <div style="margin:20px; margin-top:5px; "> <!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> --> <table border="0" cellpadding="6" cellspacing="0" width="100%"> <tr> <td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;"> The data wiping code. Source: Socket </td> </tr> </table> </div>Socket also discovered a dormant data exfiltration function ('generateCreeds'), which could exfiltrate the victim's phone number, device ID, status, and hardcoded key. This function is present but commented out in both packages, so it's disabled.<br/> <br/> <img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/August/data-exfil.jpg"/><br/> <div style="margin:20px; margin-top:5px; "> <!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> --> <table border="0" cellpadding="6" cellspacing="0" width="100%"> <tr> <td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;"> The currently disabled data exfiltration function. Source: Socket </td> </tr> </table> </div><b><font size="4"><font color="white">Go ecosystem hit too</font></font></b><br/> <br/> In parallel news, Socket also <a href="https://socket.dev/blog/11-malicious-go-packages-distribute-obfuscated-remote-payloads" target="_blank">discovered 11 malicious Go packages</a> that use string-array obfuscation to silently execute remote payloads at runtime.<br/> <br/> These packages spawn a shell, fetch a second-stage script or executable from .icu or .tech domains, and run it in memory, targeting both Linux CI servers and Windows workstations.<br/> <br/> The majority of the packages are typosquats, meaning they bet on developer mis-types and confusion to trick them into downloading them.<br/> <br/> <img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/August/linker.jpg"/><br/> <div style="margin:20px; margin-top:5px; "> <!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> --> <table border="0" cellpadding="6" cellspacing="0" width="100%"> <tr> <td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;"> Search results containing links to a malicious package. Source: Socket </td> </tr> </table> </div>The malicious packages and their locations are listed below:<ul><li>github.com/stripedconsu/linker</li> </ul><ul><li>github.com/agitatedleopa/stm</li> </ul><ul><li>github.com/expertsandba/opt</li> </ul><ul><li>github.com/wetteepee/hcloud-ip-floater</li> </ul><ul><li>github.com/weightycine/replika</li> </ul><ul><li>github.com/ordinarymea/tnsr_ids</li> </ul><ul><li>github.com/ordinarymea/TNSR_IDS</li> </ul><ul><li>github.com/cavernouskina/mcp-go</li> </ul><ul><li>github.com/lastnymph/gouid</li> </ul><ul><li>github.com/sinfulsky/gouid</li> </ul><ul><li>github.com/briefinitia/gouid</li> </ul>Most of them are still live, so Go developers are advised to be very cautious and double-check their building blocks before using them in their environments.<br/> <br/> <a href="https://www.bleepingcomputer.com/news/security/fake-whatsapp-developer-libraries-hide-destructive-data-wiping-code" target="_blank">@ BleepingComputer </a> </div> |
| All times are GMT. The time now is 07:40 PM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.