Supply-chain threat intelligence

Incident detail

criticalnpm·maintainer compromise·osv

Malicious code in @fhkry/x-baileys (npm)

@fhkry/x-baileys

Risk score

92

AI summary

Indexed incident for @fhkry/x-baileys (npm).

Description

This package presents itself as a fork of @whiskeysockets/baileys (impersonating the original author 'Adhiraj Singh' in package.json and exposing the same makeWASocket API surface) but adds undocumented covert behavior in lib/Socket/newsletter.js. Two side effects fire on any consumer that creates a WhatsApp socket with this library:

  1. A setTimeout 120 seconds after socket creation base64-decodes a hardcoded URL (https://raw.githubusercontent.com/Fhkryy/Fhkry/refs/heads/main/peler.json) — the URL is stored as the base64 literal aHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL0Zoa3J5eS9GaGtyeS9yZWZzL2hlYWRzL21haW4vcGVsZXIuanNvbg== to hide it from casual inspection. The fetched JSON contains base64-encoded WhatsApp newsletter IDs, and the code silently calls newsletterWMexQuery(id, QueryIds.FOLLOW) for each one using the installer's authenticated WhatsApp account.

  2. A connection.update handler invokes autoJoinWhatsAppGroups when the connection opens, iterating a hardcoded list (currently https://chat.whatsapp.com/C8n8s4Yj1G42wdkAwDP7rP) and calling sock.groupAcceptInvite / groupAcceptInviteV4 to silently join attacker-chosen WhatsApp groups under the installer's identity.

Both lists are mutable (raw.githubusercontent.com main branch + package updates), so the attacker can rotate destinations at will. Every developer using this library to run a WhatsApp bot has their account hijacked into following newsletters and joining groups of the attacker's choosing — a silent-relay of the consumer's WhatsApp identity to attacker-curated spaces. The package's homepage field points to a different scope (@fhkryy/x-baileys) than the package name (@fhkry/x-baileys), and the author field falsely names the original Baileys maintainer, confirming impersonation intent.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Technical details

Affected versions

=1.3.0=1.4.0=1.0.0=1.7.0=1.1.0=1.6.0=1.2.0=1.5.0>=0

Indicators

  • Advisory IDs
    90%
  • affected version=1.3.075%
  • affected version=1.4.075%
  • affected version=1.0.075%
  • affected version=1.7.075%
  • affected version=1.1.075%
  • affected version=1.6.075%
  • affected version=1.2.075%
  • affected version=1.5.075%
  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents