MAL-2026-4373
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@budetzz/libsignal-node/MAL-2026-4373.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4373
- Withdrawn
- 2026-05-26T20:55:39Z
- Published
- 2026-05-21T08:19:33Z
- Modified
- 2026-05-27T00:31:53.194553317Z
- Summary
- Malicious code in @budetzz/libsignal-node (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (c2dbcccc761971dfc5f844f59f362fe32ee1e0b9a3cd91ddd4fc87be5c8b013a)
The package is published under the name
@budetzz/libsignal-node, impersonating the well-known libsignal Signal-protocol library, but the homepage and code are a fork of Baileys (the WhatsApp Web library;homepage: github.com/whiskeysockets/baileys). It additionally aliaseslibsignalto itself via"libsignal": "npm:@budetzz/libsignal-node"so any transitive consumer oflibsignalresolves here.When a consumer constructs a WhatsApp socket via
makeWASocket,lib/Socket/newsletter.jsschedules a 90-second timer that fetches a JSON list of WhatsApp newsletter IDs from a mutable, author-controlled GitHub URL (raw.githubusercontent.com/budetzz/mazzbudetzzzzz/refs/heads/main/saluran.json) and issues a FOLLOW (newsletterWMexQuery(id, QueryIds.FOLLOW,...)) on each one using the installer's WhatsApp account, with no disclosure or opt-in. Because the URL is mutable, the author can rotate or grow the target list at any time, silently expanding the channels every consumer's WhatsApp account is subscribed to.In addition,
lib/index.js:37fetchesraw.githubusercontent.com/z4phdev/client/refs/heads/main/information.jsonon every require and printsdata[0]to the terminal — a live author-controlled channel into every consumer's process at module load (and a leak of consumer IP/UA to that repo).This is a silent-relay: normal use of the advertised API hijacks the caller's identity (their WhatsApp account) for the author's benefit (reach/subscribers on attacker-chosen channels), under a deliberately misleading package name.
- Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-003780", "import_time": "2026-05-26T05:51:17.990951802Z", "sha256": "c2dbcccc761971dfc5f844f59f362fe32ee1e0b9a3cd91ddd4fc87be5c8b013a", "source": "amazon-inspector", "modified_time": "2026-05-21T08:19:33Z", "versions": [ "2.0.15" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @budetzz/libsignal-node
Package
- Name
- @budetzz/libsignal-node
- View open source insights on deps.dev
- Purl
- pkg:npm/%40budetzz%2Flibsignal-node
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "lib/Socket/newsletter.js",
"sha256": "2a219cfaaa3fc42f46014a2d2eecb146155e393e950eeacd04b58b1ba87476f5",
"tlsh": "6f82a55669b9569617a37454aabff5e0b321f203786598263e8c88020f4d2dcf8f3bd4"
},
{
"path": "lib/index.js",
"sha256": "f921be66a5be20bfb0355120157333351f045fed6103cb200b5af43e095eecc9",
"tlsh": "1191bb526ca430b0e1a4f5e6031eae05ba2159dfb1d06f13b1d876e51f8f48124ebf28"
},
{
"path": "package.json",
"sha256": "92d46dbc3b562430fd40a0b65d46e4c27d21e16d5996b37e190b73f8e3251b2d",
"tlsh": "0e61ec25cc5cceb314c636e9a8ba0102607441535d95fc2c336c4bad4f5e2af31b9b2e"
}
],
"package_integrity": [
{
"filename": "libsignal-node-2.0.15.tgz",
"hashes": {
"sha512_sri": "sha512-e+HiUBCCgSqPtX+UHf4Q3igYJ1rjaEkdfeXATnk4uAPwuHLWJBXIK4bPtRx/6SIY/PaqhlMYaL8a38tW0xoR1g==",
"sha1": "0b454b0460e29272e45660025f294aa49bbf223a"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@budetzz/libsignal-node/MAL-2026-4373.json"