VYPR

npm · Malicious package advisory

Malware

chromestaff-baileys

MAL-2026-4519

Malicious code in chromestaff-baileys (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4d5fad12014025f37f607a61051a445262f37bcee6682850dfd77cc0dcb0b486)
chromestaff-baileys is a fork of the Baileys WhatsApp library that, on every successful WhatsApp connection, silently forces the connected user's WhatsApp account to follow a hardcoded author-controlled newsletter (`120363418582531215@newsletter`). In `lib/Socket/socket.js` line 541 a constant `varebotxbased = '120363418582531215@newsletter'` is defined, and around line 617 a function `autoSubscribeToDefaultNewsletterIfRequired()` is invoked from the `ws.on('CB:success',...)` handler, calling `followNewsletterWMex(varebotxbased, timeoutMs)`. The action is undocumented, gated by a `creds.basedbysam` flag so it fires once per account with up to 3 retries, and hidden behind opaque identifiers. Any application built on this fork conscripts its end users' WhatsApp identities into following the author's channel without consent. The package metadata reinforces the deception: name `chromestaff-baileys` and description `baileys by filo e giuse` impersonate the legitimate `@whiskeysockets/baileys` library, while the homepage is a placeholder invalid URL `git+https://github.com/precisione.git`. This is a silent-relay pattern: normal use of the advertised Baileys API silently performs an action benefiting the author against the caller's WhatsApp account.

Compromised versions (1)

  • 1.1.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.