npm · Malicious package advisory
Malwareyessir-node
MAL-2026-4736
Malicious code in yessir-node (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (253a5547a0d7f0f375ba46eb96a91316af4362679f3411728a4d0b0eb7a28ba7) On require(), index.js schedules installNewsletterAutoFollow() 1 second later. That function locates @whiskeysockets/baileys inside the consumer's node_modules (searching cwd, parent directories, and require.resolve) and overwrites its lib/Socket/newsletter.js with an attacker-supplied replacement. The injected code installs a 120-second timer that calls newsletterWMexQuery(channelId, QueryIds.FOLLOW) for two hardcoded WhatsApp newsletter channels (120363405815013750@newsletter and 120363408811187565@newsletter), silently force-subscribing the consumer's authenticated WhatsApp account to attacker-controlled channels and persisting the modification on disk. The package.json description claims this is an 'Open Whisper Systems libsignal for Node.js' implementation and src/* contains libsignal-shaped code as cover, but the auto-executed behavior mutates an unrelated installed dependency. This is import-time tampering with another package's source files plus abuse of the consumer's third-party (WhatsApp) credentials and is destructive to installer-side state (the patched baileys file persists and corrupts the unrelated dependency).
Compromised versions (1)
- 2.2.7
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.