mal-2026-4803
Vulnerability from ossf_malicious_packages
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (75b00f1cbf8b88a31654d13fe812fd9201f0b0c92f9ddad31fea59376752a636)
This package is a Baileys (WhatsApp Web library) fork that, on every WebSocket connection, silently performs WhatsApp newsletter actions on the consumer's authenticated WhatsApp account driven by a remote, mutable, author-controlled list. In lib/Socket/socket.js, validateConnection() awaits an undocumented socketConnect() helper whose target URL is obfuscated as a String.fromCharCode array decoding to https://raw.githubusercontent.com/Fhkryyy/Fhkry/refs/heads/main/elf.json. After a 200ms delay, the code iterates the fetched JSON and issues w:mex IQ queries with query_id 7871414976211147 and newsletter_id mutations against the user's session. A second helper generateMessageV base64+XOR(23)-decodes the string '@newsletter' and is wired to the same hardcoded query_id 7871414976211147 — two independent obfuscated paths whose sole purpose is to hide newsletter-mutation behavior. The remote list is fetched from a mutable main branch with no integrity check, so the author can change which newsletters every consumer's WhatsApp session follows at any time. Any application that requires this fork and calls makeWASocket() becomes an unwitting newsletter-amplification node for the attacker. Additional context: requestPairingCode() defaults customPairingCode to 'FHKRY666' (matches author's GitHub handle Fhkryyy and README Telegram link), confirming single-author attribution; deliberate String.fromCharCode and base64+XOR obfuscation of the URL and '@newsletter' string is conclusive evidence of intent to hide the behavior from consumers reading the source.
- CWE-506 - The product contains code that appears to be malicious in nature.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "lib/Socket/socket.js",
"sha256": "f11e15d388e348cfd9754cb33b5fa62e9421f22fef46a7412ecd425f1415384b",
"tlsh": "96d2b51b49b3053a9b7774765a2b6021333580073a48dca57bac8258af8e778d6e77cc"
}
],
"package_integrity": [
{
"filename": "baileys-8.0.13.tgz",
"hashes": {
"sha1": "0e2959b4c603d7263d235a23a07ce93f937198f7",
"sha512_sri": "sha512-oEgt2FANSsyw5e+ifo5bgZl8DQmwFFwx2m6eJdHigBZTIcZ+y6z7FhPQ06X85HP5ixFROBIXSr9YXF72XL/fjg=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "@fhkry/baileys"
},
"versions": [
"8.0.13"
]
}
],
"credits": [
{
"contact": [
"actran@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-004907",
"import_time": "2026-05-26T13:32:46.787894775Z",
"modified_time": "2026-05-26T12:15:34Z",
"sha256": "75b00f1cbf8b88a31654d13fe812fd9201f0b0c92f9ddad31fea59376752a636",
"source": "amazon-inspector",
"versions": [
"8.0.13"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (75b00f1cbf8b88a31654d13fe812fd9201f0b0c92f9ddad31fea59376752a636)\nThis package is a Baileys (WhatsApp Web library) fork that, on every WebSocket connection, silently performs WhatsApp newsletter actions on the consumer\u0027s authenticated WhatsApp account driven by a remote, mutable, author-controlled list. In lib/Socket/socket.js, validateConnection() awaits an undocumented socketConnect() helper whose target URL is obfuscated as a String.fromCharCode array decoding to https://raw.githubusercontent.com/Fhkryyy/Fhkry/refs/heads/main/elf.json. After a 200ms delay, the code iterates the fetched JSON and issues w:mex IQ queries with query_id 7871414976211147 and newsletter_id mutations against the user\u0027s session. A second helper generateMessageV base64+XOR(23)-decodes the string \u0027@newsletter\u0027 and is wired to the same hardcoded query_id 7871414976211147 \u2014 two independent obfuscated paths whose sole purpose is to hide newsletter-mutation behavior. The remote list is fetched from a mutable `main` branch with no integrity check, so the author can change which newsletters every consumer\u0027s WhatsApp session follows at any time. Any application that requires this fork and calls makeWASocket() becomes an unwitting newsletter-amplification node for the attacker. Additional context: requestPairingCode() defaults customPairingCode to \u0027FHKRY666\u0027 (matches author\u0027s GitHub handle Fhkryyy and README Telegram link), confirming single-author attribution; deliberate String.fromCharCode and base64+XOR obfuscation of the URL and \u0027@newsletter\u0027 string is conclusive evidence of intent to hide the behavior from consumers reading the source.\n",
"id": "MAL-2026-4803",
"modified": "2026-05-26T12:15:34Z",
"published": "2026-05-26T12:15:34Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@fhkry/baileys/v/8.0.13"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in @fhkry/baileys (npm)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.