libsignal-node-travatiger @1.0.1
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC
OSV ID
MAL-2026-6281
Ecosystem
npm
Summary
On require() of this package, index.js schedules install.js which locates @whiskeysockets/baileys in the installer's node_modules tree (searching process.cwd(), parent directories, and require.resolve) and overwrites lib/Socket/newsletter.js with an attacker-controlled replacement. A.cache marker is dropped to make the patch idempotent and persistent across reinstalls. The replacement newsletter.js, once the installer uses Baileys with their authenticated WhatsApp session, runs a setTimeout (~120s after socket creation) that fetches https://raw.githubusercontent.com/travatiger/MegaTeam/main/channel.json — a mutable, attacker-controlled URL — and invokes WhatsApp's newsletter FOLLOW mutation (newsletterWMexQuery with Types_1.QueryIds.FOLLOW) for each returned channel ID, silently using the installer's authenticated WhatsApp identity to follow channels chosen by the attacker. Because the channel list lives in a mutable GitHub repo, the attacker can change targets — or, more dangerously, the response-handling logic — at any time without republishing the npm package. The package name impersonates the legitimate libsignal-node Signal Protocol library and the description claims 'Modified libsignal for Node.js' to lend legitimacy to the lure. Three independent harms: (1) tampering with a sibling trusted package's on-disk source, (2) install-time persistence outside this package's own directory, (3) silent relay/abuse of the installer's authenticated WhatsApp session for attacker benefit.
Source: amazon-inspector (311b53330c1d8c3546d0b4fa3d460ca694fc20d60608ac5a276f40f7a73279fa)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.