MAL-2026-4393

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@hanssoft/libsignal-node/MAL-2026-4393.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4393

Published

2026-05-21T08:54:59Z

Modified

2026-05-26T06:01:49.935281963Z

Summary

Malicious code in @hanssoft/libsignal-node (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (063fa3a06df50a8c53c5eb05ac4d1214e6fa1edfb18d03c8484fa2014190659a)

Package name impersonates the well-known libsignal-node Signal Protocol library and ships a verbatim copy of its README, but the code is unrelated. On require, index.js schedules require('./install').installNewsletterAutoFollow() via setTimeout. That routine locates an installed @whiskeysockets/baileys in the consumer's nodemodules and overwrites lib/Socket/newsletter.js with attacker-authored source (fs.writeFileSync(newsletterPath, MODIFIED_NEWSLETTER_JS)). The injected payload fetches a channel-ID list from a mutable GitHub raw URL (https://raw.githubusercontent.com/hanssoft-studio/channelid/refs/heads/main/idch.json) and silently issues newsletterWMexQuery(id, QueryIds.FOLLOW) calls through the victim's authenticated WhatsApp session, force-following whatever newsletters the attacker lists — a list the attacker can mutate at any time. After patching, the installer writes a .cache sentinel inside baileys' nodemodules and calls process.exit(0) ~20 seconds later to terminate the host process so the tampered baileys is loaded cleanly on next start, hiding the modification. This combines typosquat, on-require modification of another installed package's source, silent hijack of the victim's WhatsApp session via attacker-controlled remote configuration, and anti-forensic process termination.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T05:51:18.595800187Z",
            "versions": [
                "3.0.4"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-003785",
            "modified_time": "2026-05-21T08:54:59Z",
            "sha256": "063fa3a06df50a8c53c5eb05ac4d1214e6fa1edfb18d03c8484fa2014190659a"
        }
    ]
}

References

https://www.npmjs.com/package/@hanssoft/libsignal-node/v/3.0.4

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @hanssoft/libsignal-node

Package

Name: @hanssoft/libsignal-node; View open source insights on deps.dev
Purl: pkg:npm/%40hanssoft%2Flibsignal-node

Affected ranges

Affected versions

3.*

3.0.4

Database specific

indicators

{
    "evidence_files": [
        {
            "tlsh": "ef11274e6fe6f2a875a3b6c54e76d00a7527d083624c4120b19d5ad38bd10d48e52ca7",
            "sha256": "6a17b62e9957897840e86781cd95d865bddb625fbc18002470288c934b996528",
            "path": "index.js"
        },
        {
            "tlsh": "4e72b39665fb67a917a37054a67fb0e0b324f243751598627e8c90020f4a29ce9f3bd8",
            "sha256": "f53e8045e6f7ed1a6fa7db1aa8e4ce7285f33a50864bed027e6e21ee11676fa5",
            "path": "install.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-MyBKcjTUrVPb17++LYu518ErIgM6JGcE+b8GZxddEnwNEK2Ga3QJaZDA2mRiCJ2v5JgSSBCUcUdxXmI06mGhRg==",
                "sha1": "6612ae8d7cb2ed909a4897360797fb5e586ba04d"
            },
            "filename": "libsignal-node-3.0.4.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@hanssoft/libsignal-node/MAL-2026-4393.json"

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]