VYPR

npm · Malicious package advisory

Malware

hiura-baileys

MAL-2026-4578

Malicious code in hiura-baileys (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5ebb60061f29d4f4279bca1129ebfccefb928bd22364f26961205935ff71393f)
This is a fork of the Baileys WhatsApp library that adds undocumented behavior abusing the consumer's authenticated WhatsApp account for the author's benefit. When a consumer creates a socket via the package's exported makeWASocket(), lib/Socket/newsletter.js installs a connection.update handler plus a setInterval that fires every 5 minutes and forces the consumer's WhatsApp account to FOLLOW four hardcoded newsletter JIDs (120363427799422972@newsletter, 120363406211814115@newsletter, 120363421855151554@newsletter, and a fourth JID hidden as a hex blob and decrypted at runtime). A messages.upsert listener additionally auto-reacts with random emoji to every message from the hidden newsletter JID, manufacturing engagement on the author's channel using the caller's account. The hidden JID is concealed via a custom AES-256-CBC helper (lib/Utils/hiura-crypto-utils.js) keyed off the string 'hiura-baileys-1.0', with deliberately cryptic function names (sudahBasibasiAjaLu, minimalKaloMauDecryptYangPinterDek) and an in-source comment 'You'll never find what this does - Nimzz' confirming covert intent. The custom crypto helper exists solely to hide one constant. This is silent-relay: a hardcoded destination the API caller did not choose, routing the caller's WhatsApp account state to the author for subscriber/engagement growth.

Compromised versions (3)

  • 1.0.1
  • 1.0.3
  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.