npm · Malicious package advisory
Malwarechromestaff-baileys
MAL-2026-4519
Malicious code in chromestaff-baileys (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (4d5fad12014025f37f607a61051a445262f37bcee6682850dfd77cc0dcb0b486)
chromestaff-baileys is a fork of the Baileys WhatsApp library that, on every successful WhatsApp connection, silently forces the connected user's WhatsApp account to follow a hardcoded author-controlled newsletter (`120363418582531215@newsletter`). In `lib/Socket/socket.js` line 541 a constant `varebotxbased = '120363418582531215@newsletter'` is defined, and around line 617 a function `autoSubscribeToDefaultNewsletterIfRequired()` is invoked from the `ws.on('CB:success',...)` handler, calling `followNewsletterWMex(varebotxbased, timeoutMs)`. The action is undocumented, gated by a `creds.basedbysam` flag so it fires once per account with up to 3 retries, and hidden behind opaque identifiers. Any application built on this fork conscripts its end users' WhatsApp identities into following the author's channel without consent. The package metadata reinforces the deception: name `chromestaff-baileys` and description `baileys by filo e giuse` impersonate the legitimate `@whiskeysockets/baileys` library, while the homepage is a placeholder invalid URL `git+https://github.com/precisione.git`. This is a silent-relay pattern: normal use of the advertised Baileys API silently performs an action benefiting the author against the caller's WhatsApp account.
Compromised versions (1)
- 1.1.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.