MAL-2026-4369

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@blckrose/baileys/MAL-2026-4369.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4369

Withdrawn

2026-05-26T20:55:39Z

Published

2026-05-23T01:14:12Z

Modified

2026-05-27T00:31:53.138462536Z

Summary

Malicious code in @blckrose/baileys (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (17e53bba6dc765b6c0f5d1a1a33a1ebcc7827e35af3688f86555bf1c067f5d0d)

This package is a fork of the Baileys WhatsApp Web library that ships three undisclosed behaviors which benefit the publisher at the installer's expense. (1) lib/Socket/socket.js lines 597-599 override requestPairingCode() to use a fixed default pairing code 'BLCKRO53' (assembled from a char-code array [66,76,67,75,82,79,53,51] to obfuscate the literal) whenever the caller does not supply a custom code, while upstream Baileys generates a random per-attempt code. The same code is printed on every load by the import-time banner in lib/index.js ('Pairing Code: BLCKRO53'). Anyone who knows this value — including the publisher — can enter it on whatsapp.com to link as a companion device to any installer's WhatsApp session, giving full read/write access to that account. (2) lib/Socket/newsletter.js line 54 hardcodes AUTOFOLLOWJID = '120363406005175144@newsletter' and the connection.update handler at lines 67-75 silently issues a FOLLOW WMex query against that newsletter on every successful connection, using the installer's authenticated WhatsApp identity to follow a publisher-controlled channel without consent or disclosure. (3) lib/Defaults/index.js line 138 sets DONATE_URL = 'https://saweria.co/itsliaaa' (the publisher's donation page) and lib/Utils/rich-message-utils.js line 289 uses it as the fallback URL for any link entry the caller leaves unset, injecting the publisher's donation page into outgoing messages with source labels 'Saweria' / 'For Donation via Saweria'. The package name @blckrose/baileys, the verbatim copy of upstream's description ('A WebSockets library for interacting with WhatsApp Web'), and the 'Modified Edition' banner that does not disclose any of these behaviors make this a repackage that masquerades as the upstream library while inserting a session-hijack backdoor.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004277",
            "import_time": "2026-05-26T05:52:17.33808254Z",
            "sha256": "17e53bba6dc765b6c0f5d1a1a33a1ebcc7827e35af3688f86555bf1c067f5d0d",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T01:15:26Z",
            "versions": [
                "2.0.6"
            ]
        },
        {
            "id": "IN-MAL-2026-004276",
            "versions": [
                "2.0.7"
            ],
            "sha256": "499596d2093ecf829e71408f945fabf8175d1f08ea068150054d5dea89fd3307",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T01:14:12Z",
            "import_time": "2026-05-26T05:52:17.237643399Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @blckrose/baileys

Package

Name: @blckrose/baileys; View open source insights on deps.dev
Purl: pkg:npm/%40blckrose%2Fbaileys

Affected ranges

Affected versions

2.*

2.0.6

2.0.7

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "lib/Socket/socket.js",
            "sha256": "be0128764a3223eecae9adc37b37e864f44b4c84ee71da841e89b2c988f9fc31",
            "tlsh": "eb03a42b56f3053a9a37b0766b2ba0213335c0077644dca47f9c8314af8a668d5e77dd"
        },
        {
            "path": "lib/Socket/newsletter.js",
            "sha256": "d163e360b649838b0083e3e3cf8925c30b1570c2bcdd7af2a0e3d1b783908557",
            "tlsh": "7542107618b653a126e3f46c156fb0d1b225b143391a9c46bf8ca1110fce1dcf9b27e8"
        },
        {
            "path": "lib/Utils/rich-message-utils.js",
            "sha256": "34903a9bbbbb3e1a4c363af8a6e68d2ecc4e4ebd5896336059006ee962530b56",
            "tlsh": "7372265968b1191e4253b8767acff004e328a0037808bd35bfccae64af9e0a765f57d5"
        },
        {
            "path": "lib/index.js",
            "sha256": "4958a7b3fc2e1df7ed5d7bbe4bc110cba2fc74419d4bb35771111748c0b48ae7",
            "tlsh": "ed3168320c6e4730b131c49c8a0bc501e6e37f5bbf515a492a99373ad7cd2413c8ea7a"
        }
    ],
    "package_integrity": [
        {
            "filename": "baileys-2.0.6.tgz",
            "hashes": {
                "sha512_sri": "sha512-WUdd6B7csVrQamWh47wqAiweA6hJH9nvdnAMVX/J8rg+xOWASnA3klaF8WRjuhD4IAv+zSPeC0sH4BhgK9G45g==",
                "sha1": "fdb441c91806c48e071daa31797d07bcac13efdd"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@blckrose/baileys/MAL-2026-4369.json"