npm · Malicious package advisory
Malware@shinzepelly/libsignal-node
MAL-2026-4443
Malicious code in @shinzepelly/libsignal-node (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (957954ced5e6fb2e8ab6a666adf496ca2edc7575a4e202b593d6698b5d89809f) Package impersonates the legitimate libsignal-node library (description copied verbatim: "Open Whisper Systems' libsignal for Node.js") under an unrelated scope. On require(), index.js schedules install.js, which overwrites `node_modules/@whiskeysockets/baileys/lib/Socket/newsletter.js` with an attacker-supplied replacement and writes a marker file `.cache` containing 'Iove' to suppress re-patching. The injected newsletter.js, on a 120-second delay at runtime, fetches `https://raw.githubusercontent.com/zelxopz/idnews-ch/refs/heads/main/news.json` (mutable branch, personal GitHub account unrelated to baileys or libsignal) and iterates the returned IDs to call `newsletterWMexQuery(id, QueryIds.FOLLOW)` on the installer's authenticated WhatsApp session, retrying every 11 seconds. After patching, install.js calls `process.exit(0)` 20 seconds later to terminate the host process so the patched module is loaded fresh on next start. Net effect: the installer's WhatsApp identity is silently weaponized to follow attacker-controlled newsletter channels chosen by editing a single JSON file in the attacker's repo, the installer's other installed dependency is corrupted on disk, and the host process is forcibly killed.
Compromised versions (1)
- 2.2.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.