MAL-2026-4818

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/saturn-bail/MAL-2026-4818.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4818
Published
2026-05-26T14:01:02Z
Modified
2026-05-26T15:16:44.466746399Z
Summary
Malicious code in saturn-bail (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9a29ae44bbeeb4d31d176d78d669615e7a508bd236620cc3724478100f9b6997)

saturn-bail is a Baileys-derivative WhatsApp library that, on every makeWASocket() call, schedules a 90-second timer which executes newsletterWMexQuery("120363329486691279@newsletter", QueryIds.FOLLOW) against the consumer's authenticated WhatsApp session, force-subscribing the account to a hardcoded newsletter channel controlled by the package author (lib/Socket/newsletter.js:104-110). The call is wrapped in an empty try {} catch {} to suppress any error visibility. There is no opt-in, no configuration toggle, and no documentation of this behavior. Any developer or downstream end-user whose WhatsApp account is paired through a bot built on this library is silently enrolled into following the author's channel, inflating the author's subscriber count using third-party identities. The package additionally ships a reqPairing helper (lib/Socket/chats.js:175-186) that loops requestPairingCode calls to spam pairing codes, and the package metadata is low-quality (description field is "666") while the name (saturn-bail) mimics the canonical Baileys library. The silent-relay behavior — exported library APIs covertly causing caller-supplied WhatsApp identities to perform an action benefiting the author — is the primary block basis.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.1.12"
            ],
            "sha256": "9a29ae44bbeeb4d31d176d78d669615e7a508bd236620cc3724478100f9b6997",
            "modified_time": "2026-05-26T14:01:02Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004913",
            "import_time": "2026-05-26T15:07:42.178035085Z"
        }
    ]
}
References
Credits

Affected packages

npm / saturn-bail

Package

Affected ranges

Affected versions

1.*
1.1.12

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "saturn-bail-1.1.12.tgz",
            "hashes": {
                "sha512_sri": "sha512-+txXzkHFU3HZAAAg15JIgxPSZ1U4LjjjF74trXFkr3a2FLPT/4Iv1QL0SQwJTsU0TG3VoJz0aRT/UIB7SoF+eg==",
                "sha1": "6514f5550d4551179064d67b7e55af5af46ffa37"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "84e04603208ef724e70b5d1988f4dc679745237822e58f96f790d8cb43d04ed6",
            "path": "lib/Socket/newsletter.js",
            "tlsh": "a682a65669f9569617a37414aabff5a0b321f203796598263f8c88020f4d2dcf8f3bd4"
        },
        {
            "sha256": "c3368ae63cc55509bd0994b592aaceb14a0475bffc0d8e43eb3290b90964b309",
            "path": "package.json",
            "tlsh": "51510c25cd1cceb314c626eea9b60202507841534e92fc1c376c0bac8f5e29f31b8b2e"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/saturn-bail/MAL-2026-4818.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]