MAL-2026-4372

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@budetzz/baileys/MAL-2026-4372.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4372
Withdrawn
2026-05-26T20:55:39Z
Published
2026-05-20T14:11:17Z
Modified
2026-05-27T00:31:53.144659612Z
Summary
Malicious code in @budetzz/baileys (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c79c7b873a8ea61831fdfd7b987de0efbf8944d2fd407a8dca4b70042a3d029c)

This package is a republished fork of @whiskeysockets/baileys that adds two undocumented network behaviors. (1) lib/Socket/newsletter.js line 111 schedules a setTimeout 90 seconds after a consumer constructs a WhatsApp socket via the documented makeWASocket/makeNewsletterSocket API; the timer calls loadNewsletter(), which axios.get's https://raw.githubusercontent.com/budetzz/mazzbudetzzzzz/refs/heads/main/saluran.json and then issues newsletterWMexQuery(id, FOLLOW) for every ID returned, using the consumer's authenticated WhatsApp identity. The list is hosted on a mutable main branch under the package author's personal GitHub account, so the set of channels the installer's account is forced to follow can be changed at any time without publishing a new package version. The consumer never opted in and the behavior is not documented. (2) lib/index.js line 37 fires a top-level fetch to https://raw.githubusercontent.com/z4phdev/client/refs/heads/main/information.json on every require() of the package and prints data[0].message to the console; this is a remote-mutable, author-controlled in-process content channel that beacons each installer's IP and timing to the author on import. Additionally, package.json advertises homepage https://github.com/whiskeysockets/baileys (the legitimate upstream) while fetchLatestBaileysVersion in lib/Utils/generics.js:351 is repointed to https://raw.githubusercontent.com/z4phdev/baileys/master/src/Defaults/baileys-version.json — a personal fork — so version-update telemetry is also redirected to attacker infrastructure. The silent hijack of the consumer's WhatsApp account to perform actions (channel follows) chosen by the author via a mutable URL is a silent-relay/account-hijack attack on the installer.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "2.0.17"
            ],
            "sha256": "44606c8c6a3060c45affa41c5b4ca185aaef83c964c23cfb5029b55217aeeff5",
            "modified_time": "2026-05-21T05:52:34Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-003750",
            "import_time": "2026-05-26T05:51:14.587638567Z"
        },
        {
            "versions": [
                "2.0.18"
            ],
            "sha256": "f3fa0c6d519437b3dd1a88a871b5846c8cda9d699f3dee317e0db41b17cff256",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T10:35:18Z",
            "id": "IN-MAL-2026-004311",
            "import_time": "2026-05-26T05:52:21.226051199Z"
        },
        {
            "versions": [
                "2.0.14"
            ],
            "sha256": "b61c7632294880e2a3fd6dab6c2cee0013d8072ad13e0c90e1a9e96e61dc3851",
            "modified_time": "2026-05-20T14:11:17Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-003563",
            "import_time": "2026-05-26T05:50:52.002335098Z"
        },
        {
            "versions": [
                "2.0.16"
            ],
            "sha256": "c79c7b873a8ea61831fdfd7b987de0efbf8944d2fd407a8dca4b70042a3d029c",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T05:33:09Z",
            "id": "IN-MAL-2026-003743",
            "import_time": "2026-05-26T05:51:13.864860987Z"
        }
    ]
}
References
Credits

Affected packages

npm / @budetzz/baileys

Package

Name
@budetzz/baileys
View open source insights on deps.dev
Purl
pkg:npm/%40budetzz%2Fbaileys

Affected ranges

Affected versions

2.*
2.0.14
2.0.16
2.0.17
2.0.18

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "baileys-2.0.17.tgz",
            "hashes": {
                "sha512_sri": "sha512-jVkF5xjdT1s3yqMdKnaKkgjtQvKRGcL/FoWjBMn2hIZUztHk/6Y89wn6hXBZaRo91FuMFBipSaAXR46cPG/mAQ==",
                "sha1": "bbf6aa62b1117653389594a274154d7e7a74f3b1"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "2a219cfaaa3fc42f46014a2d2eecb146155e393e950eeacd04b58b1ba87476f5",
            "path": "lib/Socket/newsletter.js",
            "tlsh": "6f82a55669b9569617a37454aabff5e0b321f203786598263e8c88020f4d2dcf8f3bd4"
        },
        {
            "sha256": "b36d4cf3d415c51dcf21c8a8383fe92f445bba1ae8c94964a3a6ed82b7e574e2",
            "path": "package.json",
            "tlsh": "6861db25c85cceb314c636eda9aa010260b441935d95fc2c336c4bad4f5e2af31b9b2e"
        },
        {
            "sha256": "f921be66a5be20bfb0355120157333351f045fed6103cb200b5af43e095eecc9",
            "path": "lib/index.js",
            "tlsh": "1191bb526ca430b0e1a4f5e6031eae05ba2159dfb1d06f13b1d876e51f8f48124ebf28"
        },
        {
            "sha256": "a3ba43b710363d9f11aa4df8c6b5b0f16192d64e6c2e21847804f8cb9d63e7da",
            "path": "lib/Utils/generics.js",
            "tlsh": "60821b89abf31477079361d5a72be406ba3e99133149c8f8be1c87204f414a4cae77f9"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@budetzz/baileys/MAL-2026-4372.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]