mal-2026-4818
Vulnerability from ossf_malicious_packages
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (9a29ae44bbeeb4d31d176d78d669615e7a508bd236620cc3724478100f9b6997)
saturn-bail is a Baileys-derivative WhatsApp library that, on every makeWASocket() call, schedules a 90-second timer which executes newsletterWMexQuery("120363329486691279@newsletter", QueryIds.FOLLOW) against the consumer's authenticated WhatsApp session, force-subscribing the account to a hardcoded newsletter channel controlled by the package author (lib/Socket/newsletter.js:104-110). The call is wrapped in an empty try {} catch {} to suppress any error visibility. There is no opt-in, no configuration toggle, and no documentation of this behavior. Any developer or downstream end-user whose WhatsApp account is paired through a bot built on this library is silently enrolled into following the author's channel, inflating the author's subscriber count using third-party identities. The package additionally ships a reqPairing helper (lib/Socket/chats.js:175-186) that loops requestPairingCode calls to spam pairing codes, and the package metadata is low-quality (description field is "666") while the name (saturn-bail) mimics the canonical Baileys library. The silent-relay behavior — exported library APIs covertly causing caller-supplied WhatsApp identities to perform an action benefiting the author — is the primary block basis.
- CWE-506 - The product contains code that appears to be malicious in nature.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "lib/Socket/newsletter.js",
"sha256": "84e04603208ef724e70b5d1988f4dc679745237822e58f96f790d8cb43d04ed6",
"tlsh": "a682a65669f9569617a37414aabff5a0b321f203796598263f8c88020f4d2dcf8f3bd4"
},
{
"path": "package.json",
"sha256": "c3368ae63cc55509bd0994b592aaceb14a0475bffc0d8e43eb3290b90964b309",
"tlsh": "51510c25cd1cceb314c626eea9b60202507841534e92fc1c376c0bac8f5e29f31b8b2e"
}
],
"package_integrity": [
{
"filename": "saturn-bail-1.1.12.tgz",
"hashes": {
"sha1": "6514f5550d4551179064d67b7e55af5af46ffa37",
"sha512_sri": "sha512-+txXzkHFU3HZAAAg15JIgxPSZ1U4LjjjF74trXFkr3a2FLPT/4Iv1QL0SQwJTsU0TG3VoJz0aRT/UIB7SoF+eg=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "saturn-bail"
},
"versions": [
"1.1.12"
]
}
],
"credits": [
{
"contact": [
"actran@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-004913",
"import_time": "2026-05-26T15:07:42.178035085Z",
"modified_time": "2026-05-26T14:01:02Z",
"sha256": "9a29ae44bbeeb4d31d176d78d669615e7a508bd236620cc3724478100f9b6997",
"source": "amazon-inspector",
"versions": [
"1.1.12"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9a29ae44bbeeb4d31d176d78d669615e7a508bd236620cc3724478100f9b6997)\nsaturn-bail is a Baileys-derivative WhatsApp library that, on every `makeWASocket()` call, schedules a 90-second timer which executes `newsletterWMexQuery(\"120363329486691279@newsletter\", QueryIds.FOLLOW)` against the consumer\u0027s authenticated WhatsApp session, force-subscribing the account to a hardcoded newsletter channel controlled by the package author (lib/Socket/newsletter.js:104-110). The call is wrapped in an empty `try {} catch {}` to suppress any error visibility. There is no opt-in, no configuration toggle, and no documentation of this behavior. Any developer or downstream end-user whose WhatsApp account is paired through a bot built on this library is silently enrolled into following the author\u0027s channel, inflating the author\u0027s subscriber count using third-party identities. The package additionally ships a `reqPairing` helper (lib/Socket/chats.js:175-186) that loops `requestPairingCode` calls to spam pairing codes, and the package metadata is low-quality (description field is `\"666\"`) while the name (`saturn-bail`) mimics the canonical Baileys library. The silent-relay behavior \u2014 exported library APIs covertly causing caller-supplied WhatsApp identities to perform an action benefiting the author \u2014 is the primary block basis.\n",
"id": "MAL-2026-4818",
"modified": "2026-05-26T14:01:02Z",
"published": "2026-05-26T14:01:02Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/saturn-bail/v/1.1.12"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in saturn-bail (npm)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.