npm

@sauruslord/libsignal @2.0.2

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 10:52 AM UTC

Malicious

OSV ID

MAL-2026-10659

Ecosystem

npm

Summary

Package name impersonates Open Whisper Systems' libsignal-node but ships unrelated code. On require() of index.js, after a 1-second delay, install.js locates the installer's @whiskeysockets/baileys directory and overwrites lib/Socket/newsletter.js with an attacker-supplied stub. The replacement stub schedules a setTimeout that, 120 seconds after the host application starts, silently invokes newsletterWMexQuery('120363425694844039@newsletter', QueryIds.FOLLOW) using the installer's authenticated WhatsApp session — auto-following an attacker-controlled WhatsApp newsletter channel without user consent. The original newsletter.js is destroyed (a restoreBackup export is referenced but no backup is ever written). install.js also schedules process.exit(0) 20 seconds after import, terminating the host application. Declared dependencies list crypto , fs , and path as npm packages rather than Node builtins, pulling in registry placeholders/typosquats. Installer harm: any developer who imports this package and also depends on @whiskeysockets/baileys has a third-party dependency silently rewritten on disk and their authenticated WhatsApp session abused on every subsequent run.

Source: amazon-inspector (b0c2cf2672d98396a7b66cb732741d269732f5faae72293ea46e06b879e7a45b)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.