MAL-2026-4478

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/alya-baileys/MAL-2026-4478.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4478
Withdrawn
2026-05-26T22:02:02Z
Published
2026-05-19T18:39:11Z
Modified
2026-05-27T00:31:51.702873639Z
Summary
Malicious code in alya-baileys (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (473103f2220a0215abf49be7e46ec1748052935ce188e0eee6ded08af7b47cf1)

alya-baileys is a fork of the Baileys WhatsApp library that adds a hidden, remotely-controlled action channel against the installer's authenticated WhatsApp session. In lib/Socket/newsletter.js, on every connection.update where the connection opens, the package decrypts an AES-256-CBC-encrypted URL (built from hex-chunk passphrase material in lib/Utils/alya.js that decodes to 'Alyabaileys' and a 'raw.githubcontent.com' host) via alyaDecryptCore and fetches author-controlled configuration with axios. That config drives three classes of action on the user's WhatsApp account: auto-following newsletters, auto-reacting (random or keyword-mapped emojis) to every message in any newsletter marked 'enabled' in the remote config, and auto-voting in polls with a configurable strategy ('random'/'first'/'last'). Only auto-follow is mentioned in the README; the auto-react and auto-vote behaviors are undisclosed. The remote endpoint can change targets and behavior at any time post-install, giving the author a persistent runtime channel to direct the installer's authenticated WhatsApp identity. Intent is reinforced by deliberate obfuscation: AES-encrypted URLs and JIDs decrypted at runtime, hex-chunk-built passphrases, five no-op aliased requires of ./Utils/alya (hapus_aja, gak_penting_asli, _apacoba_wkwk,...) that exist only to confuse review, and a literal comment in newsletter.js line 200: // You'll never find what this does - Ibra Decode. The package name impersonates the well-known baileys / @whiskeysockets/baileys library and re-exports the same public API (makeWASocket, useMultiFileAuthState), increasing the chance an installer adopts it unintentionally.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "2ff41db4792469c6c303ac7d4ed1b6c647ea3a9e7f0ca7e8c1562eedd2840931",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T18:39:11Z",
            "versions": [
                "1.9.36"
            ],
            "id": "IN-MAL-2026-003239",
            "import_time": "2026-05-26T05:50:16.245404951Z"
        },
        {
            "sha256": "32e55019d2ee3bd667c054c7f0ebec80fca8137480cb46084998f1eafee85de1",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T14:30:38Z",
            "versions": [
                "1.9.45"
            ],
            "id": "IN-MAL-2026-004338",
            "import_time": "2026-05-26T05:52:24.30192829Z"
        },
        {
            "sha256": "473103f2220a0215abf49be7e46ec1748052935ce188e0eee6ded08af7b47cf1",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T18:53:19Z",
            "versions": [
                "1.9.35"
            ],
            "id": "IN-MAL-2026-003245",
            "import_time": "2026-05-26T05:50:16.931251712Z"
        },
        {
            "sha256": "62b603cc314c627231089afd879496588d7cd8d2c708984db3c4e33dd663d222",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T13:22:30Z",
            "versions": [
                "1.9.42"
            ],
            "id": "IN-MAL-2026-004329",
            "import_time": "2026-05-26T05:52:23.37883909Z"
        },
        {
            "sha256": "6c8a205e1a11a12aaec85d36f76566c017691fef108249dd16d622a677c2148f",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T18:51:00Z",
            "versions": [
                "1.9.39"
            ],
            "id": "IN-MAL-2026-003243",
            "import_time": "2026-05-26T05:50:16.737309235Z"
        },
        {
            "sha256": "753c9f30c1236dec245e50dcc8c2b479f259db54f8667480938bc0f763052001",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T03:00:23Z",
            "versions": [
                "1.9.46"
            ],
            "id": "IN-MAL-2026-004453",
            "import_time": "2026-05-26T05:52:37.78774208Z"
        },
        {
            "sha256": "c36257f4a6f93c3a216f157733c7c8be822626daf75caf6ae28fa77871326f3b",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T18:49:25Z",
            "id": "IN-MAL-2026-003242",
            "versions": [
                "1.9.38"
            ],
            "import_time": "2026-05-26T05:50:16.596944751Z"
        },
        {
            "sha256": "f7267c6a9eba2568af1f3a2d9777527d148ec57a3a90e85900fe30f948e81699",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T18:52:34Z",
            "versions": [
                "1.9.37"
            ],
            "id": "IN-MAL-2026-003244",
            "import_time": "2026-05-26T05:50:16.828235369Z"
        }
    ]
}
References
Credits

Affected packages

npm / alya-baileys

Package

Name
alya-baileys
View open source insights on deps.dev
Purl
pkg:npm/alya-baileys

Affected ranges

Affected versions

1.*
1.9.35
1.9.36
1.9.37
1.9.38
1.9.39
1.9.42
1.9.45
1.9.46

Database specific

cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/alya-baileys/MAL-2026-4478.json"
indicators 
{
    "evidence_files": [
        {
            "sha256": "c4176fbe7a5b5ed651ff1c4e218dea42f19160b2addca41f7dfe298437a22461",
            "tlsh": "10d2970359bb297a06e37898d76fb4c2b235b693304ad4a53f8c99161f461dcc9e338d",
            "path": "lib/Socket/newsletter.js"
        },
        {
            "sha256": "d672b57b53fd3b2867d2010f1b64b04d8d3e15ab6aa8238ba1720ceef3a09e1c",
            "tlsh": "a4413953187960f403e7aadd82ebfe8790e692727112c1b97b4f6f7f4d10c648c94049",
            "path": "lib/Utils/alya.js"
        },
        {
            "sha256": "afe5f5d04977406976e0265cfd08bbd7df605d25b42bf5a2199afad93d7083ff",
            "tlsh": "3d61cc25cd6cce7304c632e9a9aa1102607441574d95fc1c376c4bac8f5e1af35b9b3e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-8c5gSHFZoTWNrQbSXib11GHarn2hxKyEhgAvJPT4wekp+/4/KOkNY9ceJIg/zgfNClgD34DY2bLbZD3PLx0v4A==",
                "sha1": "50a68d70ff8a6869d2723152f30712ccd5cca580"
            },
            "filename": "alya-baileys-1.9.36.tgz"
        }
    ]
}