OSV ID
MAL-2026-4619
Ecosystem
npm
Summary
naileys is a fork/lookalike of the WhatsApp library baileys (single-character edit; internal references still mention 'wileys', and fetchLatestBaileysVersion in lib/Utils/generics.js queries https://registry.npmjs.org/wileys). On every successful WhatsApp connection, lib/Socket/newsletter.js (lines 83-99) executes a hardcoded auto-follow routine: a comment 'Naileys - Auto follow channels on connect' precedes a CHANNELS array containing three hardcoded JIDs ('120363426706961217@newsletter', '120363406068468165@newsletter', '120363420514587725@newsletter') and issues newsletterWMexQuery(jid, QueryIds.FOLLOW) for each. This fires automatically when a consumer simply uses the advertised makeWASocket API — no opt-in, no documentation, no configuration. The effect is that every WhatsApp account driven by naileys (the developer's account or any bot/end-user account using their software) is silently subscribed to author-controlled newsletter channels, modifying installer-side account state and giving the author guaranteed broadcast reach to every consumer. This is the silent-relay pattern: the package's documented API has an undisclosed side effect routed to a hardcoded author destination. The name-similarity to baileys plus verbatim API mimicry corroborates intentional typosquat-as-delivery-vehicle.
Source: amazon-inspector (53307e8df479525765ddef8cf9a54dcf0aa368b8ef57a088b624a5e80f72c999)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.