-= Per source details. Do not edit below this line.=-
On require(), index.js schedules installNewsletterAutoFollow() 1 second later. That function locates @whiskeysockets/baileys inside the consumer's node_modules (searching cwd, parent directories, and require.resolve) and overwrites its lib/Socket/newsletter.js with an attacker-supplied replacement. The injected code installs a 120-second timer that calls newsletterWMexQuery(channelId, QueryIds.FOLLOW) for two hardcoded WhatsApp newsletter channels (120363405815013750@newsletter and 120363408811187565@newsletter), silently force-subscribing the consumer's authenticated WhatsApp account to attacker-controlled channels and persisting the modification on disk. The package.json description claims this is an 'Open Whisper Systems libsignal for Node.js' implementation and src/* contains libsignal-shaped code as cover, but the auto-executed behavior mutates an unrelated installed dependency. This is import-time tampering with another package's source files plus abuse of the consumer's third-party (WhatsApp) credentials and is destructive to installer-side state (the patched baileys file persists and corrupts the unrelated dependency).
{
"malicious-packages-origins": [
{
"versions": [
"2.2.7"
],
"sha256": "253a5547a0d7f0f375ba46eb96a91316af4362679f3411728a4d0b0eb7a28ba7",
"modified_time": "2026-05-20T10:36:54Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-003516",
"import_time": "2026-05-26T05:50:46.569321564Z"
}
]
}{
"package_integrity": [
{
"filename": "yessir-node-2.2.7.tgz",
"hashes": {
"sha512_sri": "sha512-XZ9Pg4q07OnIsTBZGBGtp34D1r0gx8wJQhtjBWwa5NdS7Xq2avVIzG7OaV6tTd8owOgHB3fzqqPHY3iUdmJRbg==",
"sha1": "6b63952245eb5d3dbc360015fe3dd66c15c40900"
}
}
],
"evidence_files": [
{
"sha256": "6ff05e3e91679dd9cc36687c33872b73f83a2abd63a191aec80e6dd1b119b0e4",
"path": "install.js",
"tlsh": "d772b49665fa67a917b37454a67fb0e0b224f243751598627f8c90020f4a2dce8f3bd8"
},
{
"sha256": "567d40ad35e3e90e72cf51407603e214905d2020e5f7cfe8d2b16e7433481c4e",
"path": "package.json",
"tlsh": "7ef0be20da19ed3301c46a2a6c31484653a21ca34945bd0d37ca840ccfae19f66febad"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yessir-node/MAL-2026-4736.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]