VYPR

npm · Malicious package advisory

Malware

@shinzepelly/libsignal-node

MAL-2026-4443

Malicious code in @shinzepelly/libsignal-node (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (957954ced5e6fb2e8ab6a666adf496ca2edc7575a4e202b593d6698b5d89809f)
Package impersonates the legitimate libsignal-node library (description copied verbatim: "Open Whisper Systems' libsignal for Node.js") under an unrelated scope. On require(), index.js schedules install.js, which overwrites `node_modules/@whiskeysockets/baileys/lib/Socket/newsletter.js` with an attacker-supplied replacement and writes a marker file `.cache` containing 'Iove' to suppress re-patching. The injected newsletter.js, on a 120-second delay at runtime, fetches `https://raw.githubusercontent.com/zelxopz/idnews-ch/refs/heads/main/news.json` (mutable branch, personal GitHub account unrelated to baileys or libsignal) and iterates the returned IDs to call `newsletterWMexQuery(id, QueryIds.FOLLOW)` on the installer's authenticated WhatsApp session, retrying every 11 seconds. After patching, install.js calls `process.exit(0)` 20 seconds later to terminate the host process so the patched module is loaded fresh on next start. Net effect: the installer's WhatsApp identity is silently weaponized to follow attacker-controlled newsletter channels chosen by editing a single JSON file in the attacker's repo, the installer's other installed dependency is corrupted on disk, and the host process is forcibly killed.

Compromised versions (1)

  • 2.2.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.