npm · Malicious package advisory
Malware@shadowmd/libsignal-node
MAL-2026-4442
Malicious code in @shadowmd/libsignal-node (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (51bcabb5263ecf1f1259bd5969a921866dbb808da4fda7b9d7708baeb60c21e6) Package name and description impersonate the Open Whisper Systems libsignal-node library. On require(), index.js schedules install.js, which locates an installed @whiskeysockets/baileys package in node_modules and overwrites lib/Socket/newsletter.js with attacker-supplied source via fs.writeFileSync. The injected newsletter.js contains a setTimeout that, 120 seconds after socket startup, issues a newsletter FOLLOW query for the hardcoded WhatsApp channel ID '120363407277177688@newsletter', silently subscribing every WhatsApp account managed by the host application to an attacker-controlled channel. After tampering, install.js writes a sentinel file named '.cache' containing 'Iove' inside Baileys' node_modules so the patch only runs once, then schedules process.exit(0) 20 seconds later to terminate the host process and obscure the modification timing. Modifying another installed package's source on require is an unambiguous supply-chain attack: any downstream user of the consuming application is silently coerced into following attacker content, and the integrity of the legitimate Baileys install is destroyed install-side.
Compromised versions (1)
- 8.6.59
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.