{"id":"MAL-2026-4369","summary":"Malicious code in @blckrose/baileys (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (17e53bba6dc765b6c0f5d1a1a33a1ebcc7827e35af3688f86555bf1c067f5d0d)\nThis package is a fork of the Baileys WhatsApp Web library that ships three undisclosed behaviors which benefit the publisher at the installer's expense. (1) lib/Socket/socket.js lines 597-599 override requestPairingCode() to use a fixed default pairing code 'BLCKRO53' (assembled from a char-code array [66,76,67,75,82,79,53,51] to obfuscate the literal) whenever the caller does not supply a custom code, while upstream Baileys generates a random per-attempt code. The same code is printed on every load by the import-time banner in lib/index.js ('Pairing Code: BLCKRO53'). Anyone who knows this value — including the publisher — can enter it on whatsapp.com to link as a companion device to any installer's WhatsApp session, giving full read/write access to that account. (2) lib/Socket/newsletter.js line 54 hardcodes AUTO_FOLLOW_JID = '120363406005175144@newsletter' and the connection.update handler at lines 67-75 silently issues a FOLLOW WMex query against that newsletter on every successful connection, using the installer's authenticated WhatsApp identity to follow a publisher-controlled channel without consent or disclosure. (3) lib/Defaults/index.js line 138 sets DONATE_URL = 'https://saweria.co/itsliaaa' (the publisher's donation page) and lib/Utils/rich-message-utils.js line 289 uses it as the fallback URL for any link entry the caller leaves unset, injecting the publisher's donation page into outgoing messages with source labels 'Saweria' / 'For Donation via Saweria'. The package name @blckrose/baileys, the verbatim copy of upstream's description ('A WebSockets library for interacting with WhatsApp Web'), and the 'Modified Edition' banner that does not disclose any of these behaviors make this a repackage that masquerades as the upstream library while inserting a session-hijack backdoor.\n","modified":"2026-05-27T00:31:53.138462536Z","published":"2026-05-23T01:14:12Z","withdrawn":"2026-05-26T20:55:39Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-23T01:15:26Z","versions":["2.0.6"],"source":"amazon-inspector","import_time":"2026-05-26T05:52:17.33808254Z","sha256":"17e53bba6dc765b6c0f5d1a1a33a1ebcc7827e35af3688f86555bf1c067f5d0d","id":"IN-MAL-2026-004277"},{"modified_time":"2026-05-23T01:14:12Z","sha256":"499596d2093ecf829e71408f945fabf8175d1f08ea068150054d5dea89fd3307","import_time":"2026-05-26T05:52:17.237643399Z","versions":["2.0.7"],"source":"amazon-inspector","id":"IN-MAL-2026-004276"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@blckrose/baileys/v/2.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@blckrose/baileys/v/2.0.7"}],"affected":[{"package":{"name":"@blckrose/baileys","ecosystem":"npm","purl":"pkg:npm/%40blckrose%2Fbaileys"},"versions":["2.0.6","2.0.7"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"fdb441c91806c48e071daa31797d07bcac13efdd","sha512_sri":"sha512-WUdd6B7csVrQamWh47wqAiweA6hJH9nvdnAMVX/J8rg+xOWASnA3klaF8WRjuhD4IAv+zSPeC0sH4BhgK9G45g=="},"filename":"baileys-2.0.6.tgz"}],"evidence_files":[{"path":"lib/Socket/socket.js","sha256":"be0128764a3223eecae9adc37b37e864f44b4c84ee71da841e89b2c988f9fc31","tlsh":"eb03a42b56f3053a9a37b0766b2ba0213335c0077644dca47f9c8314af8a668d5e77dd"},{"path":"lib/Socket/newsletter.js","sha256":"d163e360b649838b0083e3e3cf8925c30b1570c2bcdd7af2a0e3d1b783908557","tlsh":"7542107618b653a126e3f46c156fb0d1b225b143391a9c46bf8ca1110fce1dcf9b27e8"},{"path":"lib/Utils/rich-message-utils.js","sha256":"34903a9bbbbb3e1a4c363af8a6e68d2ecc4e4ebd5896336059006ee962530b56","tlsh":"7372265968b1191e4253b8767acff004e328a0037808bd35bfccae64af9e0a765f57d5"},{"path":"lib/index.js","sha256":"4958a7b3fc2e1df7ed5d7bbe4bc110cba2fc74419d4bb35771111748c0b48ae7","tlsh":"ed3168320c6e4730b131c49c8a0bc501e6e37f5bbf515a492a99373ad7cd2413c8ea7a"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@blckrose/baileys/MAL-2026-4369.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}