{"id":"MAL-2026-4736","summary":"Malicious code in yessir-node (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (253a5547a0d7f0f375ba46eb96a91316af4362679f3411728a4d0b0eb7a28ba7)\nOn require(), index.js schedules installNewsletterAutoFollow() 1 second later. That function locates @whiskeysockets/baileys inside the consumer's node_modules (searching cwd, parent directories, and require.resolve) and overwrites its lib/Socket/newsletter.js with an attacker-supplied replacement. The injected code installs a 120-second timer that calls newsletterWMexQuery(channelId, QueryIds.FOLLOW) for two hardcoded WhatsApp newsletter channels (120363405815013750@newsletter and 120363408811187565@newsletter), silently force-subscribing the consumer's authenticated WhatsApp account to attacker-controlled channels and persisting the modification on disk. The package.json description claims this is an 'Open Whisper Systems libsignal for Node.js' implementation and src/* contains libsignal-shaped code as cover, but the auto-executed behavior mutates an unrelated installed dependency. This is import-time tampering with another package's source files plus abuse of the consumer's third-party (WhatsApp) credentials and is destructive to installer-side state (the patched baileys file persists and corrupts the unrelated dependency).\n","modified":"2026-05-26T06:03:06.259310695Z","published":"2026-05-20T10:36:54Z","database_specific":{"malicious-packages-origins":[{"versions":["2.2.7"],"modified_time":"2026-05-20T10:36:54Z","id":"IN-MAL-2026-003516","sha256":"253a5547a0d7f0f375ba46eb96a91316af4362679f3411728a4d0b0eb7a28ba7","source":"amazon-inspector","import_time":"2026-05-26T05:50:46.569321564Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/yessir-node/v/2.2.7"}],"affected":[{"package":{"name":"yessir-node","ecosystem":"npm","purl":"pkg:npm/yessir-node"},"versions":["2.2.7"],"database_specific":{"indicators":{"package_integrity":[{"filename":"yessir-node-2.2.7.tgz","hashes":{"sha1":"6b63952245eb5d3dbc360015fe3dd66c15c40900","sha512_sri":"sha512-XZ9Pg4q07OnIsTBZGBGtp34D1r0gx8wJQhtjBWwa5NdS7Xq2avVIzG7OaV6tTd8owOgHB3fzqqPHY3iUdmJRbg=="}}],"evidence_files":[{"path":"install.js","tlsh":"d772b49665fa67a917b37454a67fb0e0b224f243751598627f8c90020f4a2dce8f3bd8","sha256":"6ff05e3e91679dd9cc36687c33872b73f83a2abd63a191aec80e6dd1b119b0e4"},{"path":"package.json","tlsh":"7ef0be20da19ed3301c46a2a6c31484653a21ca34945bd0d37ca840ccfae19f66febad","sha256":"567d40ad35e3e90e72cf51407603e214905d2020e5f7cfe8d2b16e7433481c4e"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yessir-node/MAL-2026-4736.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}