{"id":"MAL-2026-4393","summary":"Malicious code in @hanssoft/libsignal-node (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (063fa3a06df50a8c53c5eb05ac4d1214e6fa1edfb18d03c8484fa2014190659a)\nPackage name impersonates the well-known `libsignal-node` Signal Protocol library and ships a verbatim copy of its README, but the code is unrelated. On require, `index.js` schedules `require('./install').installNewsletterAutoFollow()` via setTimeout. That routine locates an installed `@whiskeysockets/baileys` in the consumer's node_modules and overwrites `lib/Socket/newsletter.js` with attacker-authored source (`fs.writeFileSync(newsletterPath, MODIFIED_NEWSLETTER_JS)`). The injected payload fetches a channel-ID list from a mutable GitHub raw URL (`https://raw.githubusercontent.com/hanssoft-studio/channelid/refs/heads/main/idch.json`) and silently issues `newsletterWMexQuery(id, QueryIds.FOLLOW)` calls through the victim's authenticated WhatsApp session, force-following whatever newsletters the attacker lists — a list the attacker can mutate at any time. After patching, the installer writes a `.cache` sentinel inside baileys' node_modules and calls `process.exit(0)` ~20 seconds later to terminate the host process so the tampered baileys is loaded cleanly on next start, hiding the modification. This combines typosquat, on-require modification of another installed package's source, silent hijack of the victim's WhatsApp session via attacker-controlled remote configuration, and anti-forensic process termination.\n","modified":"2026-05-26T06:01:49.935281963Z","published":"2026-05-21T08:54:59Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-05-26T05:51:18.595800187Z","sha256":"063fa3a06df50a8c53c5eb05ac4d1214e6fa1edfb18d03c8484fa2014190659a","id":"IN-MAL-2026-003785","versions":["3.0.4"],"modified_time":"2026-05-21T08:54:59Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@hanssoft/libsignal-node/v/3.0.4"}],"affected":[{"package":{"name":"@hanssoft/libsignal-node","ecosystem":"npm","purl":"pkg:npm/%40hanssoft%2Flibsignal-node"},"versions":["3.0.4"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@hanssoft/libsignal-node/MAL-2026-4393.json","indicators":{"package_integrity":[{"filename":"libsignal-node-3.0.4.tgz","hashes":{"sha1":"6612ae8d7cb2ed909a4897360797fb5e586ba04d","sha512_sri":"sha512-MyBKcjTUrVPb17++LYu518ErIgM6JGcE+b8GZxddEnwNEK2Ga3QJaZDA2mRiCJ2v5JgSSBCUcUdxXmI06mGhRg=="}}],"evidence_files":[{"path":"index.js","sha256":"6a17b62e9957897840e86781cd95d865bddb625fbc18002470288c934b996528","tlsh":"ef11274e6fe6f2a875a3b6c54e76d00a7527d083624c4120b19d5ad38bd10d48e52ca7"},{"sha256":"f53e8045e6f7ed1a6fa7db1aa8e4ce7285f33a50864bed027e6e21ee11676fa5","path":"install.js","tlsh":"4e72b39665fb67a917a37054a67fb0e0b324f243751598627e8c90020f4a29ce9f3bd8"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}