Cybersecurity researchers have uncovered a malicious software tool that exposes WhatsApp accounts by secretly giving hackers access to users’ messages and contacts.
The tool, called lotusbail was published on the npm software repository and appeared to be a normal WhatsApp API for developers. Researchers say it was designed to look legitimate, but in reality, it allowed attackers to spy on WhatsApp activity.
Under the cover of a functional tool, the malware “steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor’s server,” Tuval Admoni, Koi Security researcher said in a report published over the weekend.
Read also: 10 mobile banking threats Nigerians should watch out for in 2026
Once a developer used the tool to connect an app to WhatsApp, the malware automatically became active. It captured login information, intercepted messages, and copied contact lists, media files, and documents. The stolen data was then sent, in encrypted form, to servers controlled by the attackers.
The software also abused WhatsApp’s device-linking feature. During setup, it quietly linked the attacker’s device to the victim’s WhatsApp account. This gave the attacker ongoing access to conversations and contacts, often without the user noticing.
Even if the malicious tool is later removed, the attacker’s access can continue because the linked device stays connected until it is manually removed in WhatsApp’s settings.
Researchers said the package was downloaded more than 56,000 times, showing how easily harmful software can spread through trusted developer platforms. The malware required no special actions to work and activated during normal use, making it difficult to detect.
Read also: 360 Tbps at the shore, buffering inland: Why Nigeria’s broadband promise remains unfulfilled
Security experts say the case highlights growing risks from software supply-chain attacks, where malicious code is hidden inside tools that appear safe and functional.
Developers and users are being advised to avoid unofficial WhatsApp tools, carefully review third-party software, and regularly check the list of devices linked to their WhatsApp accounts.
