{"id":"MAL-2026-4372","summary":"Malicious code in @budetzz/baileys (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c79c7b873a8ea61831fdfd7b987de0efbf8944d2fd407a8dca4b70042a3d029c)\nThis package is a republished fork of @whiskeysockets/baileys that adds two undocumented network behaviors. (1) lib/Socket/newsletter.js line 111 schedules a setTimeout 90 seconds after a consumer constructs a WhatsApp socket via the documented makeWASocket/makeNewsletterSocket API; the timer calls loadNewsletter(), which axios.get's https://raw.githubusercontent.com/budetzz/mazzbudetzzzzz/refs/heads/main/saluran.json and then issues newsletterWMexQuery(id, FOLLOW) for every ID returned, using the consumer's authenticated WhatsApp identity. The list is hosted on a mutable main branch under the package author's personal GitHub account, so the set of channels the installer's account is forced to follow can be changed at any time without publishing a new package version. The consumer never opted in and the behavior is not documented. (2) lib/index.js line 37 fires a top-level fetch to https://raw.githubusercontent.com/z4phdev/client/refs/heads/main/information.json on every require() of the package and prints data[0].message to the console; this is a remote-mutable, author-controlled in-process content channel that beacons each installer's IP and timing to the author on import. Additionally, package.json advertises homepage https://github.com/whiskeysockets/baileys (the legitimate upstream) while fetchLatestBaileysVersion in lib/Utils/generics.js:351 is repointed to https://raw.githubusercontent.com/z4phdev/baileys/master/src/Defaults/baileys-version.json — a personal fork — so version-update telemetry is also redirected to attacker infrastructure. The silent hijack of the consumer's WhatsApp account to perform actions (channel follows) chosen by the author via a mutable URL is a silent-relay/account-hijack attack on the installer.\n","modified":"2026-05-27T00:31:53.144659612Z","published":"2026-05-20T14:11:17Z","withdrawn":"2026-05-26T20:55:39Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:51:14.587638567Z","modified_time":"2026-05-21T05:52:34Z","source":"amazon-inspector","versions":["2.0.17"],"id":"IN-MAL-2026-003750","sha256":"44606c8c6a3060c45affa41c5b4ca185aaef83c964c23cfb5029b55217aeeff5"},{"import_time":"2026-05-26T05:52:21.226051199Z","versions":["2.0.18"],"source":"amazon-inspector","sha256":"f3fa0c6d519437b3dd1a88a871b5846c8cda9d699f3dee317e0db41b17cff256","id":"IN-MAL-2026-004311","modified_time":"2026-05-23T10:35:18Z"},{"import_time":"2026-05-26T05:50:52.002335098Z","versions":["2.0.14"],"source":"amazon-inspector","sha256":"b61c7632294880e2a3fd6dab6c2cee0013d8072ad13e0c90e1a9e96e61dc3851","id":"IN-MAL-2026-003563","modified_time":"2026-05-20T14:11:17Z"},{"import_time":"2026-05-26T05:51:13.864860987Z","versions":["2.0.16"],"source":"amazon-inspector","sha256":"c79c7b873a8ea61831fdfd7b987de0efbf8944d2fd407a8dca4b70042a3d029c","id":"IN-MAL-2026-003743","modified_time":"2026-05-21T05:33:09Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@budetzz/baileys/v/2.0.17"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@budetzz/baileys/v/2.0.18"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@budetzz/baileys/v/2.0.14"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@budetzz/baileys/v/2.0.16"}],"affected":[{"package":{"name":"@budetzz/baileys","ecosystem":"npm","purl":"pkg:npm/%40budetzz%2Fbaileys"},"versions":["2.0.17","2.0.18","2.0.14","2.0.16"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@budetzz/baileys/MAL-2026-4372.json","indicators":{"package_integrity":[{"hashes":{"sha1":"bbf6aa62b1117653389594a274154d7e7a74f3b1","sha512_sri":"sha512-jVkF5xjdT1s3yqMdKnaKkgjtQvKRGcL/FoWjBMn2hIZUztHk/6Y89wn6hXBZaRo91FuMFBipSaAXR46cPG/mAQ=="},"filename":"baileys-2.0.17.tgz"}],"evidence_files":[{"sha256":"2a219cfaaa3fc42f46014a2d2eecb146155e393e950eeacd04b58b1ba87476f5","path":"lib/Socket/newsletter.js","tlsh":"6f82a55669b9569617a37454aabff5e0b321f203786598263e8c88020f4d2dcf8f3bd4"},{"sha256":"b36d4cf3d415c51dcf21c8a8383fe92f445bba1ae8c94964a3a6ed82b7e574e2","path":"package.json","tlsh":"6861db25c85cceb314c636eda9aa010260b441935d95fc2c336c4bad4f5e2af31b9b2e"},{"sha256":"f921be66a5be20bfb0355120157333351f045fed6103cb200b5af43e095eecc9","tlsh":"1191bb526ca430b0e1a4f5e6031eae05ba2159dfb1d06f13b1d876e51f8f48124ebf28","path":"lib/index.js"},{"sha256":"a3ba43b710363d9f11aa4df8c6b5b0f16192d64e6c2e21847804f8cb9d63e7da","tlsh":"60821b89abf31477079361d5a72be406ba3e99133149c8f8be1c87204f414a4cae77f9","path":"lib/Utils/generics.js"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}