@shinzepelly/libsignal-node @2.2.4

Summary

Package impersonates the legitimate libsignal-node library (description copied verbatim: "Open Whisper Systems' libsignal for Node.js") under an unrelated scope. On require(), index.js schedules install.js, which overwrites node_modules/@whiskeysockets/baileys/lib/Socket/newsletter.js with an attacker-supplied replacement and writes a marker file .cache containing 'Iove' to suppress re-patching. The injected newsletter.js, on a 120-second delay at runtime, fetches https://raw.githubusercontent.com/zelxopz/idnews-ch/refs/heads/main/news.json (mutable branch, personal GitHub account unrelated to baileys or libsignal) and iterates the returned IDs to call newsletterWMexQuery(id, QueryIds.FOLLOW) on the installer's authenticated WhatsApp session, retrying every 11 seconds. After patching, install.js calls process.exit(0) 20 seconds later to terminate the host process so the patched module is loaded fresh on next start. Net effect: the installer's WhatsApp identity is silently weaponized to follow attacker-controlled newsletter channels chosen by editing a single JSON file in the attacker's repo, the installer's other installed dependency is corrupted on disk, and the host process is forcibly killed.

Source: amazon-inspector (957954ced5e6fb2e8ab6a666adf496ca2edc7575a4e202b593d6698b5d89809f)