MAL-2026-4392

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@hanssoft/baileys/MAL-2026-4392.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4392

Withdrawn

2026-05-26T21:28:12Z

Published

2026-05-21T09:13:25Z

Modified

2026-05-27T00:31:56.018370458Z

Summary

Malicious code in @hanssoft/baileys (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e3f83fb38a98b69c322df069a26c495101aa35682df8f83641b00e2ce40a99bd)

This package is a fork of the WhatsApp library Baileys whose metadata (homepage, repository, author) points at the upstream @whiskeysockets/baileys, while the code is modified. When a consumer calls the documented entry point makeWASocket(config), the chain reaches makeNewsletterSocket in lib/Socket/newsletter.js. Around line 181-189, an undocumented setTimeout fires 80 seconds after socket creation and fetches https://raw.githubusercontent.com/Sanz-notdev/IdChannel/refs/heads/main/Push/Idchannel.json — a mutable list hosted on a personal GitHub account unrelated to the upstream project. For each newsletter ID in that list, the package issues newsletterWMexQuery(id, QueryIds.FOLLOW) over the consumer's authenticated WhatsApp session, silently subscribing the installer's account to author-chosen channels. The list is on a mutable main branch, so targets can be changed at any time after install. There is no opt-in, no README disclosure, and the behavior runs as a side effect of normal library use. This is a silent-relay/backdoor: the consumer's authenticated identity is covertly used to perform actions for the author's benefit, and the inherited upstream metadata makes the fork look like the legitimate Baileys package.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003790",
            "versions": [
                "10.0.0"
            ],
            "sha256": "e3f83fb38a98b69c322df069a26c495101aa35682df8f83641b00e2ce40a99bd",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T09:13:25Z",
            "import_time": "2026-05-26T05:51:19.176210911Z"
        }
    ]
}

References

https://www.npmjs.com/package/@hanssoft/baileys/v/10.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @hanssoft/baileys

Package

Name: @hanssoft/baileys; View open source insights on deps.dev
Purl: pkg:npm/%40hanssoft%2Fbaileys

Affected ranges

Affected versions

10.*

10.0.0

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "lib/Socket/newsletter.js",
            "sha256": "9f5798c1ede284ef0e8a623b1a23b3690e27317cf5b2df7e8dac9e53ca9d0885",
            "tlsh": "af629452a6fd56a517a37054e67fb0e0b321f203796598637e8cc4020f4e2dda8b3bd9"
        },
        {
            "path": "package.json",
            "sha256": "6e4ab2898203438d3ec172cd319ef4f33898702a9573bc28fe3950861c2e8e6f",
            "tlsh": "ae61dc25cc5cceb314c636eda4765102646905535e95fc2c336c4bac4f5e2af32b9b2e"
        }
    ],
    "package_integrity": [
        {
            "filename": "baileys-10.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-xJZ5dnCS6iRTgoLZeP0xKeY3sij7qZUGLXn2avsCDs1xMy5NXguYZXxplgjnA0hZE/a94voQqre0xlIGDvR9ew==",
                "sha1": "cad32f83b65ffbe2e2b57058a1b6bdbbc0eb08b1"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@hanssoft/baileys/MAL-2026-4392.json"