MAL-2026-4374

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (81b1fbb4415cf2858924d511ef2bf96ad5152dda4537a264f45d1b4d847ba25d)

Package @budetzzgantenk/baileys is a modified fork of @whiskeysockets/baileys that adopts the upstream's homepage (https://github.com/whiskeysockets/baileys) and author name (Adhiraj Singh) in package.json while adding undocumented behavior. When a consumer constructs a socket via the main API (makeWASocket → makeNewsletterSocket), lib/Socket/newsletter.js:108-122 schedules a 90-second-delayed axios.get('https://raw.githubusercontent.com/budetzz/mazzbudetzzzzz/refs/heads/main/saluran.json') and issues a FOLLOW newsletterWMexQuery for every newsletter ID returned, using the caller's authenticated WhatsApp identity. The list is hosted on the author's personal GitHub on a mutable branch, so the author can add or remove targeted newsletters at any time without republishing. Separately, lib/index.js:37 fires a fetch to raw.githubusercontent.com/z4phdev/client/refs/heads/main/information.json on every require() and console-logs the response — currently log-only, but provides the author install-time telemetry via GitHub repo traffic logs and another mutable message channel. The combination of (a) borrowing upstream identity to attract installers seeking the legitimate Baileys, (b) silently relaying caller-supplied authenticated identity into author-controlled FOLLOW actions, and (c) the mutable hosting of the target list constitutes a silent-relay supply-chain attack: normal use of the library's advertised API silently exercises the caller's account on the author's behalf.