VYPR

npm · Malicious package advisory

Malware

saturn-bail

MAL-2026-4818

Malicious code in saturn-bail (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9a29ae44bbeeb4d31d176d78d669615e7a508bd236620cc3724478100f9b6997)
saturn-bail is a Baileys-derivative WhatsApp library that, on every `makeWASocket()` call, schedules a 90-second timer which executes `newsletterWMexQuery("120363329486691279@newsletter", QueryIds.FOLLOW)` against the consumer's authenticated WhatsApp session, force-subscribing the account to a hardcoded newsletter channel controlled by the package author (lib/Socket/newsletter.js:104-110). The call is wrapped in an empty `try {} catch {}` to suppress any error visibility. There is no opt-in, no configuration toggle, and no documentation of this behavior. Any developer or downstream end-user whose WhatsApp account is paired through a bot built on this library is silently enrolled into following the author's channel, inflating the author's subscriber count using third-party identities. The package additionally ships a `reqPairing` helper (lib/Socket/chats.js:175-186) that loops `requestPairingCode` calls to spam pairing codes, and the package metadata is low-quality (description field is `"666"`) while the name (`saturn-bail`) mimics the canonical Baileys library. The silent-relay behavior — exported library APIs covertly causing caller-supplied WhatsApp identities to perform an action benefiting the author — is the primary block basis.

Compromised versions (1)

  • 1.1.12

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.