MAL-2026-4443

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@shinzepelly/libsignal-node/MAL-2026-4443.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4443

Withdrawn

2026-05-26T20:55:39Z

Published

2026-05-20T01:18:55Z

Modified

2026-05-27T00:31:58.121066842Z

Summary

Malicious code in @shinzepelly/libsignal-node (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (957954ced5e6fb2e8ab6a666adf496ca2edc7575a4e202b593d6698b5d89809f)

Package impersonates the legitimate libsignal-node library (description copied verbatim: "Open Whisper Systems' libsignal for Node.js") under an unrelated scope. On require(), index.js schedules install.js, which overwrites node_modules/@whiskeysockets/baileys/lib/Socket/newsletter.js with an attacker-supplied replacement and writes a marker file .cache containing 'Iove' to suppress re-patching. The injected newsletter.js, on a 120-second delay at runtime, fetches https://raw.githubusercontent.com/zelxopz/idnews-ch/refs/heads/main/news.json (mutable branch, personal GitHub account unrelated to baileys or libsignal) and iterates the returned IDs to call newsletterWMexQuery(id, QueryIds.FOLLOW) on the installer's authenticated WhatsApp session, retrying every 11 seconds. After patching, install.js calls process.exit(0) 20 seconds later to terminate the host process so the patched module is loaded fresh on next start. Net effect: the installer's WhatsApp identity is silently weaponized to follow attacker-controlled newsletter channels chosen by editing a single JSON file in the attacker's repo, the installer's other installed dependency is corrupted on disk, and the host process is forcibly killed.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "957954ced5e6fb2e8ab6a666adf496ca2edc7575a4e202b593d6698b5d89809f",
            "id": "IN-MAL-2026-003354",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T01:18:55Z",
            "versions": [
                "2.2.4"
            ],
            "import_time": "2026-05-26T05:50:28.917541509Z"
        }
    ]
}

References

https://www.npmjs.com/package/@shinzepelly/libsignal-node/v/2.2.4

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @shinzepelly/libsignal-node

Package

Name: @shinzepelly/libsignal-node; View open source insights on deps.dev
Purl: pkg:npm/%40shinzepelly%2Flibsignal-node

Affected ranges

Affected versions

2.*

2.2.4

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@shinzepelly/libsignal-node/MAL-2026-4443.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "tlsh": "2c72b39665fb67a917a37054a67fb0e0b324f243751598627f8c90020f4a2dce8f3bd8",
            "sha256": "26814e382b0df5bd25177d75ad3449eee30cd79e5f7fa33f5312376afe07dfb8",
            "path": "install.js"
        },
        {
            "sha256": "61218213824c6fa703870f749a99544905aef604bb71424abb0cdf840b8e2d6c",
            "tlsh": "9af0f020cd259d3341c87a6a6c31084653a21c634994bd0c37ca940c8fae19f22bea6d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "libsignal-node-2.2.4.tgz",
            "hashes": {
                "sha1": "1c4ca8c861a03fa512fc4160cfbf450f1a13214e",
                "sha512_sri": "sha512-yeJbN4ZDYU6Xr4GeWI1nbdeYrKk1Yk/58W/hST0xgeiZGHGvPWsubXNnvD2o6HMP7yGi6wdldSmDWYr0H9Z6zw=="
            }
        }
    ]
}