-= Per source details. Do not edit below this line.=-
saturn-bail is a Baileys-derivative WhatsApp library that, on every makeWASocket() call, schedules a 90-second timer which executes newsletterWMexQuery("120363329486691279@newsletter", QueryIds.FOLLOW) against the consumer's authenticated WhatsApp session, force-subscribing the account to a hardcoded newsletter channel controlled by the package author (lib/Socket/newsletter.js:104-110). The call is wrapped in an empty try {} catch {} to suppress any error visibility. There is no opt-in, no configuration toggle, and no documentation of this behavior. Any developer or downstream end-user whose WhatsApp account is paired through a bot built on this library is silently enrolled into following the author's channel, inflating the author's subscriber count using third-party identities. The package additionally ships a reqPairing helper (lib/Socket/chats.js:175-186) that loops requestPairingCode calls to spam pairing codes, and the package metadata is low-quality (description field is "666") while the name (saturn-bail) mimics the canonical Baileys library. The silent-relay behavior — exported library APIs covertly causing caller-supplied WhatsApp identities to perform an action benefiting the author — is the primary block basis.
{
"malicious-packages-origins": [
{
"versions": [
"1.1.12"
],
"sha256": "9a29ae44bbeeb4d31d176d78d669615e7a508bd236620cc3724478100f9b6997",
"modified_time": "2026-05-26T14:01:02Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-004913",
"import_time": "2026-05-26T15:07:42.178035085Z"
}
]
}{
"package_integrity": [
{
"filename": "saturn-bail-1.1.12.tgz",
"hashes": {
"sha512_sri": "sha512-+txXzkHFU3HZAAAg15JIgxPSZ1U4LjjjF74trXFkr3a2FLPT/4Iv1QL0SQwJTsU0TG3VoJz0aRT/UIB7SoF+eg==",
"sha1": "6514f5550d4551179064d67b7e55af5af46ffa37"
}
}
],
"evidence_files": [
{
"sha256": "84e04603208ef724e70b5d1988f4dc679745237822e58f96f790d8cb43d04ed6",
"path": "lib/Socket/newsletter.js",
"tlsh": "a682a65669f9569617a37414aabff5a0b321f203796598263f8c88020f4d2dcf8f3bd4"
},
{
"sha256": "c3368ae63cc55509bd0994b592aaceb14a0475bffc0d8e43eb3290b90964b309",
"path": "package.json",
"tlsh": "51510c25cd1cceb314c626eea9b60202507841534e92fc1c376c0bac8f5e29f31b8b2e"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/saturn-bail/MAL-2026-4818.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]