-= Per source details. Do not edit below this line.=-
This package is a republished fork of @whiskeysockets/baileys that adds two undocumented network behaviors. (1) lib/Socket/newsletter.js line 111 schedules a setTimeout 90 seconds after a consumer constructs a WhatsApp socket via the documented makeWASocket/makeNewsletterSocket API; the timer calls loadNewsletter(), which axios.get's https://raw.githubusercontent.com/budetzz/mazzbudetzzzzz/refs/heads/main/saluran.json and then issues newsletterWMexQuery(id, FOLLOW) for every ID returned, using the consumer's authenticated WhatsApp identity. The list is hosted on a mutable main branch under the package author's personal GitHub account, so the set of channels the installer's account is forced to follow can be changed at any time without publishing a new package version. The consumer never opted in and the behavior is not documented. (2) lib/index.js line 37 fires a top-level fetch to https://raw.githubusercontent.com/z4phdev/client/refs/heads/main/information.json on every require() of the package and prints data[0].message to the console; this is a remote-mutable, author-controlled in-process content channel that beacons each installer's IP and timing to the author on import. Additionally, package.json advertises homepage https://github.com/whiskeysockets/baileys (the legitimate upstream) while fetchLatestBaileysVersion in lib/Utils/generics.js:351 is repointed to https://raw.githubusercontent.com/z4phdev/baileys/master/src/Defaults/baileys-version.json — a personal fork — so version-update telemetry is also redirected to attacker infrastructure. The silent hijack of the consumer's WhatsApp account to perform actions (channel follows) chosen by the author via a mutable URL is a silent-relay/account-hijack attack on the installer.
{
"malicious-packages-origins": [
{
"versions": [
"2.0.17"
],
"sha256": "44606c8c6a3060c45affa41c5b4ca185aaef83c964c23cfb5029b55217aeeff5",
"modified_time": "2026-05-21T05:52:34Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-003750",
"import_time": "2026-05-26T05:51:14.587638567Z"
},
{
"versions": [
"2.0.18"
],
"sha256": "f3fa0c6d519437b3dd1a88a871b5846c8cda9d699f3dee317e0db41b17cff256",
"source": "amazon-inspector",
"modified_time": "2026-05-23T10:35:18Z",
"id": "IN-MAL-2026-004311",
"import_time": "2026-05-26T05:52:21.226051199Z"
},
{
"versions": [
"2.0.14"
],
"sha256": "b61c7632294880e2a3fd6dab6c2cee0013d8072ad13e0c90e1a9e96e61dc3851",
"modified_time": "2026-05-20T14:11:17Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-003563",
"import_time": "2026-05-26T05:50:52.002335098Z"
},
{
"versions": [
"2.0.16"
],
"sha256": "c79c7b873a8ea61831fdfd7b987de0efbf8944d2fd407a8dca4b70042a3d029c",
"source": "amazon-inspector",
"modified_time": "2026-05-21T05:33:09Z",
"id": "IN-MAL-2026-003743",
"import_time": "2026-05-26T05:51:13.864860987Z"
}
]
}{
"package_integrity": [
{
"filename": "baileys-2.0.17.tgz",
"hashes": {
"sha512_sri": "sha512-jVkF5xjdT1s3yqMdKnaKkgjtQvKRGcL/FoWjBMn2hIZUztHk/6Y89wn6hXBZaRo91FuMFBipSaAXR46cPG/mAQ==",
"sha1": "bbf6aa62b1117653389594a274154d7e7a74f3b1"
}
}
],
"evidence_files": [
{
"sha256": "2a219cfaaa3fc42f46014a2d2eecb146155e393e950eeacd04b58b1ba87476f5",
"path": "lib/Socket/newsletter.js",
"tlsh": "6f82a55669b9569617a37454aabff5e0b321f203786598263e8c88020f4d2dcf8f3bd4"
},
{
"sha256": "b36d4cf3d415c51dcf21c8a8383fe92f445bba1ae8c94964a3a6ed82b7e574e2",
"path": "package.json",
"tlsh": "6861db25c85cceb314c636eda9aa010260b441935d95fc2c336c4bad4f5e2af31b9b2e"
},
{
"sha256": "f921be66a5be20bfb0355120157333351f045fed6103cb200b5af43e095eecc9",
"path": "lib/index.js",
"tlsh": "1191bb526ca430b0e1a4f5e6031eae05ba2159dfb1d06f13b1d876e51f8f48124ebf28"
},
{
"sha256": "a3ba43b710363d9f11aa4df8c6b5b0f16192d64e6c2e21847804f8cb9d63e7da",
"path": "lib/Utils/generics.js",
"tlsh": "60821b89abf31477079361d5a72be406ba3e99133149c8f8be1c87204f414a4cae77f9"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@budetzz/baileys/MAL-2026-4372.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]