{"id":"MAL-2026-4374","summary":"Malicious code in @budetzzgantenk/baileys (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (81b1fbb4415cf2858924d511ef2bf96ad5152dda4537a264f45d1b4d847ba25d)\nPackage @budetzzgantenk/baileys is a modified fork of @whiskeysockets/baileys that adopts the upstream's homepage (https://github.com/whiskeysockets/baileys) and author name (Adhiraj Singh) in package.json while adding undocumented behavior. When a consumer constructs a socket via the main API (makeWASocket → makeNewsletterSocket), lib/Socket/newsletter.js:108-122 schedules a 90-second-delayed `axios.get('https://raw.githubusercontent.com/budetzz/mazzbudetzzzzz/refs/heads/main/saluran.json')` and issues a FOLLOW newsletterWMexQuery for every newsletter ID returned, using the caller's authenticated WhatsApp identity. The list is hosted on the author's personal GitHub on a mutable branch, so the author can add or remove targeted newsletters at any time without republishing. Separately, lib/index.js:37 fires a fetch to raw.githubusercontent.com/z4phdev/client/refs/heads/main/information.json on every require() and console-logs the response — currently log-only, but provides the author install-time telemetry via GitHub repo traffic logs and another mutable message channel. The combination of (a) borrowing upstream identity to attract installers seeking the legitimate Baileys, (b) silently relaying caller-supplied authenticated identity into author-controlled FOLLOW actions, and (c) the mutable hosting of the target list constitutes a silent-relay supply-chain attack: normal use of the library's advertised API silently exercises the caller's account on the author's behalf.\n","modified":"2026-05-27T00:31:53.220306581Z","published":"2026-05-23T11:13:18Z","withdrawn":"2026-05-26T20:55:39Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:52:21.450438019Z","id":"IN-MAL-2026-004313","modified_time":"2026-05-23T11:13:18Z","versions":["2.0.17"],"sha256":"81b1fbb4415cf2858924d511ef2bf96ad5152dda4537a264f45d1b4d847ba25d","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@budetzzgantenk/baileys/v/2.0.17"}],"affected":[{"package":{"name":"@budetzzgantenk/baileys","ecosystem":"npm","purl":"pkg:npm/%40budetzzgantenk%2Fbaileys"},"versions":["2.0.17"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"tlsh":"6f82a55669b9569617a37454aabff5e0b321f203786598263e8c88020f4d2dcf8f3bd4","path":"lib/Socket/newsletter.js","sha256":"2a219cfaaa3fc42f46014a2d2eecb146155e393e950eeacd04b58b1ba87476f5"},{"sha256":"77420497c8b8389516a0a6eb2a0e7a6852971220c7a3bf36322b3a1f19245ce9","path":"package.json","tlsh":"2c61db25c85cceb314c636eda8aa010260b441535d95fc2c336c4bad4f5e2af31b9b2e"},{"sha256":"f921be66a5be20bfb0355120157333351f045fed6103cb200b5af43e095eecc9","path":"lib/index.js","tlsh":"1191bb526ca430b0e1a4f5e6031eae05ba2159dfb1d06f13b1d876e51f8f48124ebf28"}],"package_integrity":[{"hashes":{"sha1":"5916323f0b228dd2a536383d70f0d09bb826982a","sha512_sri":"sha512-dNLacmHNkdr1RwSonSd8xaAaw1oklNfYXYRv6xXETaxGtcBLoJD4HjIsLU6L9rd/Rpx4RznSKcf8v2iXwN38Qw=="},"filename":"baileys-2.0.17.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@budetzzgantenk/baileys/MAL-2026-4374.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}