WhatsApp Developers Under Attack From Weaponized npm Packages with Remote Kill Switch

Two malicious npm packages have emerged as sophisticated weapons targeting WhatsApp developers through a remote-controlled destruction mechanism that can completely wipe development systems. The packages, identified as naya-flore and nvlore-hsc, masquerade as legitimate WhatsApp socket libraries while harboring a devastating kill switch capable of executing system-wide file deletion through a single command. Published by npm user nayflore using the email address [email protected], these weaponized packages have accumulated over 1,110 downloads within a month, demonstrating their effectiveness in infiltrating developer workflows. The malicious libraries exploit the growing WhatsApp Business API ecosystem, which now serves over 200 million businesses globally, creating an attractive target environment where developers routinely install third-party packages for chatbot development, customer service automation, and messaging integrations. Socket.dev researchers identified the sophisticated attack mechanism embedded within what appears to be standard WhatsApp integration functionality. The malicious code specifically targets the requestPairingCode function, a legitimate component that developers would naturally invoke during WhatsApp bot authentication setup. Remote Kill Switch Architecture The packages implement a particularly insidious attack vector through their phone number verification system. Upon execution, the malicious code retrieves a remote database of whitelisted phone numbers from a GitHub repository using Base64 obfuscation:- const sesiPath = “aHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL25hdmFMaW5oL2RhdGFiYXNlL21haW4vc2Vza2E”; // Decodes
Read More