{"id":"MAL-2026-4818","summary":"Malicious code in saturn-bail (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9a29ae44bbeeb4d31d176d78d669615e7a508bd236620cc3724478100f9b6997)\nsaturn-bail is a Baileys-derivative WhatsApp library that, on every `makeWASocket()` call, schedules a 90-second timer which executes `newsletterWMexQuery(\"120363329486691279@newsletter\", QueryIds.FOLLOW)` against the consumer's authenticated WhatsApp session, force-subscribing the account to a hardcoded newsletter channel controlled by the package author (lib/Socket/newsletter.js:104-110). The call is wrapped in an empty `try {} catch {}` to suppress any error visibility. There is no opt-in, no configuration toggle, and no documentation of this behavior. Any developer or downstream end-user whose WhatsApp account is paired through a bot built on this library is silently enrolled into following the author's channel, inflating the author's subscriber count using third-party identities. The package additionally ships a `reqPairing` helper (lib/Socket/chats.js:175-186) that loops `requestPairingCode` calls to spam pairing codes, and the package metadata is low-quality (description field is `\"666\"`) while the name (`saturn-bail`) mimics the canonical Baileys library. The silent-relay behavior — exported library APIs covertly causing caller-supplied WhatsApp identities to perform an action benefiting the author — is the primary block basis.\n","modified":"2026-05-26T15:16:44.466746399Z","published":"2026-05-26T14:01:02Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T15:07:42.178035085Z","sha256":"9a29ae44bbeeb4d31d176d78d669615e7a508bd236620cc3724478100f9b6997","modified_time":"2026-05-26T14:01:02Z","source":"amazon-inspector","versions":["1.1.12"],"id":"IN-MAL-2026-004913"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/saturn-bail/v/1.1.12"}],"affected":[{"package":{"name":"saturn-bail","ecosystem":"npm","purl":"pkg:npm/saturn-bail"},"versions":["1.1.12"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/saturn-bail/MAL-2026-4818.json","indicators":{"evidence_files":[{"sha256":"84e04603208ef724e70b5d1988f4dc679745237822e58f96f790d8cb43d04ed6","tlsh":"a682a65669f9569617a37414aabff5a0b321f203796598263f8c88020f4d2dcf8f3bd4","path":"lib/Socket/newsletter.js"},{"sha256":"c3368ae63cc55509bd0994b592aaceb14a0475bffc0d8e43eb3290b90964b309","path":"package.json","tlsh":"51510c25cd1cceb314c626eea9b60202507841534e92fc1c376c0bac8f5e29f31b8b2e"}],"package_integrity":[{"filename":"saturn-bail-1.1.12.tgz","hashes":{"sha512_sri":"sha512-+txXzkHFU3HZAAAg15JIgxPSZ1U4LjjjF74trXFkr3a2FLPT/4Iv1QL0SQwJTsU0TG3VoJz0aRT/UIB7SoF+eg==","sha1":"6514f5550d4551179064d67b7e55af5af46ffa37"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}