@blckrose/baileys @2.0.7

Summary

This package is a fork of the Baileys WhatsApp Web library that ships three undisclosed behaviors which benefit the publisher at the installer's expense. (1) lib/Socket/socket.js lines 597-599 override requestPairingCode() to use a fixed default pairing code 'BLCKRO53' (assembled from a char-code array [66,76,67,75,82,79,53,51] to obfuscate the literal) whenever the caller does not supply a custom code, while upstream Baileys generates a random per-attempt code. The same code is printed on every load by the import-time banner in lib/index.js ('Pairing Code: BLCKRO53'). Anyone who knows this value — including the publisher — can enter it on whatsapp.com to link as a companion device to any installer's WhatsApp session, giving full read/write access to that account. (2) lib/Socket/newsletter.js line 54 hardcodes AUTO_FOLLOW_JID = '120363406005175144@newsletter' and the connection.update handler at lines 67-75 silently issues a FOLLOW WMex query against that newsletter on every successful connection, using the installer's authenticated WhatsApp identity to follow a publisher-controlled channel without consent or disclosure. (3) lib/Defaults/index.js line 138 sets DONATE_URL = 'https://saweria.co/itsliaaa' (the publisher's donation page) and lib/Utils/rich-message-utils.js line 289 uses it as the fallback URL for any link entry the caller leaves unset, injecting the publisher's donation page into outgoing messages with source labels 'Saweria' / 'For Donation via Saweria'. The package name @blckrose/baileys, the verbatim copy of upstream's description ('A WebSockets library for interacting with WhatsApp Web'), and the 'Modified Edition' banner that does not disclose any of these behaviors make this a repackage that masquerades as the upstream library while inserting a session-hijack backdoor.

Source: amazon-inspector (17e53bba6dc765b6c0f5d1a1a33a1ebcc7827e35af3688f86555bf1c067f5d0d)