MAL-2026-4442

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@shadowmd/libsignal-node/MAL-2026-4442.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4442
Withdrawn
2026-05-26T20:55:39Z
Published
2026-05-21T09:36:47Z
Modified
2026-05-27T00:31:58.133629835Z
Summary
Malicious code in @shadowmd/libsignal-node (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (51bcabb5263ecf1f1259bd5969a921866dbb808da4fda7b9d7708baeb60c21e6)

Package name and description impersonate the Open Whisper Systems libsignal-node library. On require(), index.js schedules install.js, which locates an installed @whiskeysockets/baileys package in nodemodules and overwrites lib/Socket/newsletter.js with attacker-supplied source via fs.writeFileSync. The injected newsletter.js contains a setTimeout that, 120 seconds after socket startup, issues a newsletter FOLLOW query for the hardcoded WhatsApp channel ID '120363407277177688@newsletter', silently subscribing every WhatsApp account managed by the host application to an attacker-controlled channel. After tampering, install.js writes a sentinel file named '.cache' containing 'Iove' inside Baileys' nodemodules so the patch only runs once, then schedules process.exit(0) 20 seconds later to terminate the host process and obscure the modification timing. Modifying another installed package's source on require is an unambiguous supply-chain attack: any downstream user of the consuming application is silently coerced into following attacker content, and the integrity of the legitimate Baileys install is destroyed install-side.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "51bcabb5263ecf1f1259bd5969a921866dbb808da4fda7b9d7708baeb60c21e6",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T09:36:47Z",
            "versions": [
                "8.6.59"
            ],
            "id": "IN-MAL-2026-003794",
            "import_time": "2026-05-26T05:51:19.607246082Z"
        }
    ]
}
References
Credits

Affected packages

npm / @shadowmd/libsignal-node

Package

Name
@shadowmd/libsignal-node
View open source insights on deps.dev
Purl
pkg:npm/%40shadowmd%2Flibsignal-node

Affected ranges

Affected versions

8.*
8.6.59

Database specific

cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@shadowmd/libsignal-node/MAL-2026-4442.json"
indicators 
{
    "evidence_files": [
        {
            "sha256": "7422596b00aa76336aca9defb9d7563e9bd4273940d72fd13f8436592665467f",
            "tlsh": "b772b49665fa67a917a37054a63fb0e0b324f243751598627f8cd0020f4a2dce8f3bd8",
            "path": "install.js"
        },
        {
            "sha256": "16d3225794c2f3eb93da9339e96b00633603c376a143d9a9bd44ebe25320a194",
            "tlsh": "35f0f020ca15dc3314c47a6a7c31490653a21c938994bd0c37ca950c8fae15f66fea6d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-EO16Yedz5UZ0B4r9DNb/HStKeWhpybHQqsCvASvCsHBvi8yuD+f/xYO0BeyYm4DLGRBwKCo4DDCLp3fhCkfy7w==",
                "sha1": "bb8594b63b4edbfde49c27d7c94cbf3c411977a2"
            },
            "filename": "libsignal-node-8.6.59.tgz"
        }
    ]
}