MAL-2026-10665

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@fhkry/x-baileys/MAL-2026-10665.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10665
Aliases
  • GHSA-mxxc-f6p6-98j7
Published
2026-07-15T06:35:37Z
Modified
2026-07-15T10:49:21.442529570Z
Summary
Malicious code in @fhkry/x-baileys (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (db9f6c3e5c391d9d3ffeb7f6c1b4154b0266efeb73bdf5543ad81f50236bdabc)

This package presents itself as a fork of @whiskeysockets/baileys (impersonating the original author 'Adhiraj Singh' in package.json and exposing the same makeWASocket API surface) but adds undocumented covert behavior in lib/Socket/newsletter.js. Two side effects fire on any consumer that creates a WhatsApp socket with this library:

  1. A setTimeout 120 seconds after socket creation base64-decodes a hardcoded URL (https://raw.githubusercontent.com/Fhkryy/Fhkry/refs/heads/main/peler.json) — the URL is stored as the base64 literal aHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL0Zoa3J5eS9GaGtyeS9yZWZzL2hlYWRzL21haW4vcGVsZXIuanNvbg== to hide it from casual inspection. The fetched JSON contains base64-encoded WhatsApp newsletter IDs, and the code silently calls newsletterWMexQuery(id, QueryIds.FOLLOW) for each one using the installer's authenticated WhatsApp account.

  2. A connection.update handler invokes autoJoinWhatsAppGroups when the connection opens, iterating a hardcoded list (currently https://chat.whatsapp.com/C8n8s4Yj1G42wdkAwDP7rP) and calling sock.groupAcceptInvite / groupAcceptInviteV4 to silently join attacker-chosen WhatsApp groups under the installer's identity.

Both lists are mutable (raw.githubusercontent.com main branch + package updates), so the attacker can rotate destinations at will. Every developer using this library to run a WhatsApp bot has their account hijacked into following newsletters and joining groups of the attacker's choosing — a silent-relay of the consumer's WhatsApp identity to attacker-curated spaces. The package's homepage field points to a different scope (@fhkryy/x-baileys) than the package name (@fhkry/x-baileys), and the author field falsely names the original Baileys maintainer, confirming impersonation intent.

Source: ghsa-malware (41cbffddc905c0088db2c4c3278d560592d468e9c6e762a626e2755c51d4ae85)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "GHSA-mxxc-f6p6-98j7",
            "source": "ghsa-malware",
            "import_time": "2026-07-15T07:00:48.967612564Z",
            "sha256": "41cbffddc905c0088db2c4c3278d560592d468e9c6e762a626e2755c51d4ae85",
            "modified_time": "2026-07-15T06:35:38Z",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ]
        },
        {
            "id": "IN-MAL-2026-010662",
            "source": "amazon-inspector",
            "import_time": "2026-07-15T10:36:58.249967971Z",
            "sha256": "59f5661d2d11aa73c9096f204145a77a7da3ba1d3c557397c8b2b2ba76959bf4",
            "versions": [
                "1.3.0"
            ],
            "modified_time": "2026-07-15T10:30:33Z"
        },
        {
            "id": "IN-MAL-2026-010664",
            "source": "amazon-inspector",
            "import_time": "2026-07-15T10:36:58.305566209Z",
            "sha256": "792fa423311100360a47c94deb45941a31d8477b338b3942057632daf9942f88",
            "versions": [
                "1.4.0"
            ],
            "modified_time": "2026-07-15T10:30:50Z"
        },
        {
            "id": "IN-MAL-2026-010663",
            "source": "amazon-inspector",
            "import_time": "2026-07-15T10:36:58.276529246Z",
            "sha256": "db9f6c3e5c391d9d3ffeb7f6c1b4154b0266efeb73bdf5543ad81f50236bdabc",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-07-15T10:30:42Z"
        },
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010661",
            "import_time": "2026-07-15T10:36:58.217518142Z",
            "sha256": "e9c2021e32488300a8185c3bee6ac43932b5e41a6e60f3ac642e019c8f06b135",
            "versions": [
                "1.7.0"
            ],
            "modified_time": "2026-07-15T10:30:10Z"
        },
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010665",
            "import_time": "2026-07-15T10:36:58.335659442Z",
            "sha256": "0ee7c254668ea82b020b5d3fcd987ede890692960892b99022316968037eecd6",
            "versions": [
                "1.1.0"
            ],
            "modified_time": "2026-07-15T10:30:58Z"
        },
        {
            "id": "IN-MAL-2026-010669",
            "source": "amazon-inspector",
            "import_time": "2026-07-15T10:36:58.498369019Z",
            "sha256": "2defc61fd60e212de19b24626841b394c313db6d050fe871c4f806154fffe8f5",
            "versions": [
                "1.6.0"
            ],
            "modified_time": "2026-07-15T10:31:37Z"
        },
        {
            "id": "IN-MAL-2026-010666",
            "source": "amazon-inspector",
            "import_time": "2026-07-15T10:36:58.367243485Z",
            "sha256": "4fac69d3087ea9f4aaf0c92afa6da8102bef1500d818b6fa4bc167cce394bdbe",
            "versions": [
                "1.2.0"
            ],
            "modified_time": "2026-07-15T10:31:08Z"
        },
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010667",
            "import_time": "2026-07-15T10:36:58.421524877Z",
            "sha256": "5621a9e8450b1d8dfce3637d314d245060a8ecb76157dbf09b53276e2d00cb07",
            "versions": [
                "1.5.0"
            ],
            "modified_time": "2026-07-15T10:31:17Z"
        }
    ]
}
References
Credits

Affected packages

npm / @fhkry/x-baileys

Package

Name
@fhkry/x-baileys
View open source insights on deps.dev
Purl
pkg:npm/%40fhkry/x-baileys

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.0
1.1.0
1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@fhkry/x-baileys/MAL-2026-10665.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "evidence_files": [
        {
            "path": "lib/Socket/newsletter.js",
            "sha256": "62fc85c6480874f60b69aff1baebbf5b35105c27fa26ff2c5dc71d8d40d45321",
            "tlsh": "7372b89565fa56a616b37054aa7fb0e0b321f2437955d8663f8cc4020f4a2dcf8b3bd8"
        }
    ]
}