npm · Malicious package advisory
Malwareshizukyu
MAL-2026-4806
Malicious code in shizukyu (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (31c8d6ffda18d74aa3d25ab3804e721a72dc385d89f2742d7c9e967919b27449)
The package exports a single function shizukuCh(socket) that accepts a caller's authenticated Baileys WhatsApp socket and invokes socket.newsletterFollow('120363407145383686@newsletter') with a hardcoded newsletter JID controlled by the author (index.js:4). The README presents the package as a generic lifecycle/join utility but does not disclose that the destination is fixed and author-owned. Any consumer who wires this into their connection.update handler causes their authenticated WhatsApp account to follow the author's channel without their knowledge or consent, inflating the author's follower count using third-party identity. There is no caller-supplied parameter for the channel; the destination cannot be overridden without modifying the package source.
Compromised versions (1)
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.