{"id":"MAL-2026-4519","summary":"Malicious code in chromestaff-baileys (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4d5fad12014025f37f607a61051a445262f37bcee6682850dfd77cc0dcb0b486)\nchromestaff-baileys is a fork of the Baileys WhatsApp library that, on every successful WhatsApp connection, silently forces the connected user's WhatsApp account to follow a hardcoded author-controlled newsletter (`120363418582531215@newsletter`). In `lib/Socket/socket.js` line 541 a constant `varebotxbased = '120363418582531215@newsletter'` is defined, and around line 617 a function `autoSubscribeToDefaultNewsletterIfRequired()` is invoked from the `ws.on('CB:success',...)` handler, calling `followNewsletterWMex(varebotxbased, timeoutMs)`. The action is undocumented, gated by a `creds.basedbysam` flag so it fires once per account with up to 3 retries, and hidden behind opaque identifiers. Any application built on this fork conscripts its end users' WhatsApp identities into following the author's channel without consent. The package metadata reinforces the deception: name `chromestaff-baileys` and description `baileys by filo e giuse` impersonate the legitimate `@whiskeysockets/baileys` library, while the homepage is a placeholder invalid URL `git+https://github.com/precisione.git`. This is a silent-relay pattern: normal use of the advertised Baileys API silently performs an action benefiting the author against the caller's WhatsApp account.\n","modified":"2026-05-27T00:32:12.713907851Z","published":"2026-05-25T14:50:39Z","withdrawn":"2026-05-26T22:13:04Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004694","sha256":"4d5fad12014025f37f607a61051a445262f37bcee6682850dfd77cc0dcb0b486","versions":["1.1.3"],"modified_time":"2026-05-25T14:50:39Z","source":"amazon-inspector","import_time":"2026-05-26T05:53:06.159529712Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chromestaff-baileys/v/1.1.3"}],"affected":[{"package":{"name":"chromestaff-baileys","ecosystem":"npm","purl":"pkg:npm/chromestaff-baileys"},"versions":["1.1.3"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"sha256":"6739902383bca8b02754a38c306dd48b81b6b67fde04754232b356dd7c6f328e","path":"lib/Socket/socket.js","tlsh":"3d23516b45f714365773b079472ba0616231e0073948eda67f8c82219f892acdaf37de"},{"sha256":"06360122ec5ad3754a07eaf7cdfa9be9a2b60d31674defb9d556f3b913dca0c8","path":"package.json","tlsh":"5e51ce33ca4cce2309f662d5b5780212f469476f5660cc4f32b957ac8f73a571295f2a"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-Rs5SbhcV8jg5cyiLyRjI3wp3VWOpV4sBD8ETnmST7rDyS+dtQw+HVdvFdEwxyvzfk944gmkqoA1P6pabcyI2hw==","sha1":"c2fefc60b80c9bd86bd9ce57773835ae35fb1654"},"filename":"chromestaff-baileys-1.1.3.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/chromestaff-baileys/MAL-2026-4519.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}