A malicious package on the Node Package Manager (NPM) registry, masquerading as a WhatsApp Web API library, has been caught exfiltrating user data and, in some cases, granting full account access to attackers. Developers installing the package risked compromising sensitive information simply through the ‘npm install’ command.
This incident highlights persistent supply chain risks in open-source ecosystems, where unchecked packages can become vectors for attack. Experts underscore the importance of regular dependency auditing using tools like ‘npm audit’ and GitHub’s Dependabot, alongside manual reviews. Prioritising reputable, well-maintained projects and closely monitoring lock files are recommended best practices to mitigate such threats, underlining that supply chain risks concern projects of all sizes.
Malicious npm Package Compromises WhatsApp Accounts: A Supply Chain Wake-Up Call
