MAL-2026-4519

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/chromestaff-baileys/MAL-2026-4519.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4519

Withdrawn

2026-05-26T22:13:04Z

Published

2026-05-25T14:50:39Z

Modified

2026-05-27T00:32:12.713907851Z

Summary

Malicious code in chromestaff-baileys (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4d5fad12014025f37f607a61051a445262f37bcee6682850dfd77cc0dcb0b486)

chromestaff-baileys is a fork of the Baileys WhatsApp library that, on every successful WhatsApp connection, silently forces the connected user's WhatsApp account to follow a hardcoded author-controlled newsletter (120363418582531215@newsletter). In lib/Socket/socket.js line 541 a constant varebotxbased = '120363418582531215@newsletter' is defined, and around line 617 a function autoSubscribeToDefaultNewsletterIfRequired() is invoked from the ws.on('CB:success',...) handler, calling followNewsletterWMex(varebotxbased, timeoutMs). The action is undocumented, gated by a creds.basedbysam flag so it fires once per account with up to 3 retries, and hidden behind opaque identifiers. Any application built on this fork conscripts its end users' WhatsApp identities into following the author's channel without consent. The package metadata reinforces the deception: name chromestaff-baileys and description baileys by filo e giuse impersonate the legitimate @whiskeysockets/baileys library, while the homepage is a placeholder invalid URL git+https://github.com/precisione.git. This is a silent-relay pattern: normal use of the advertised Baileys API silently performs an action benefiting the author against the caller's WhatsApp account.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T05:53:06.159529712Z",
            "versions": [
                "1.1.3"
            ],
            "modified_time": "2026-05-25T14:50:39Z",
            "sha256": "4d5fad12014025f37f607a61051a445262f37bcee6682850dfd77cc0dcb0b486",
            "id": "IN-MAL-2026-004694",
            "source": "amazon-inspector"
        }
    ]
}

References

https://www.npmjs.com/package/chromestaff-baileys/v/1.1.3

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / chromestaff-baileys

Package

Name: chromestaff-baileys; View open source insights on deps.dev
Purl: pkg:npm/chromestaff-baileys

Affected ranges

Affected versions

1.*

1.1.3

Database specific

indicators

{
    "package_integrity": [
        {
            "filename": "chromestaff-baileys-1.1.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-Rs5SbhcV8jg5cyiLyRjI3wp3VWOpV4sBD8ETnmST7rDyS+dtQw+HVdvFdEwxyvzfk944gmkqoA1P6pabcyI2hw==",
                "sha1": "c2fefc60b80c9bd86bd9ce57773835ae35fb1654"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "lib/Socket/socket.js",
            "sha256": "6739902383bca8b02754a38c306dd48b81b6b67fde04754232b356dd7c6f328e",
            "tlsh": "3d23516b45f714365773b079472ba0616231e0073948eda67f8c82219f892acdaf37de"
        },
        {
            "path": "package.json",
            "sha256": "06360122ec5ad3754a07eaf7cdfa9be9a2b60d31674defb9d556f3b913dca0c8",
            "tlsh": "5e51ce33ca4cce2309f662d5b5780212f469476f5660cc4f32b957ac8f73a571295f2a"
        }
    ]
}

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/chromestaff-baileys/MAL-2026-4519.json"