#020High2026-04-03

Trojanized Baileys Fork with Hidden Obfuscated Payload

baileys-kawe@1.0.6

Verdict:MALICIOUS — Trojanized WhatsApp Web API fork

Overview

A malicious fork of the popular Baileys WhatsApp Web API library. The attacker cloned the legitimate package and injected an 86KB obfuscated JavaScript payload at lib/Signal/Group/index/_internal.js — a path that closely mimics the real Baileys Signal protocol directory structure. This technique makes the malicious file appear to be part of the legitimate library during casual code review. The obfuscated payload executes on require.

86KB
Payload Size
Baileys
Cloned Package
Fork
Attack Type
Yes
Obfuscation

Attack Flow

Fork & Clone
Attacker forks the legitimate Baileys WhatsApp Web API library and publishes as baileys-kawe on npm. Package appears functionally identical to the original.
Payload Injection
86KB obfuscated JavaScript file injected at lib/Signal/Group/index/_internal.js — a path that mimics the real Baileys Signal protocol directory structure.
Stealth
The malicious file blends into the legitimate directory tree. Developers reviewing the package see familiar Baileys paths and skip the obfuscated file.
Execution
Payload executes on require, running the obfuscated code in the context of the WhatsApp bot/automation that imports the library.

MITRE ATT&CK Mapping

T1195.002Supply Chain Compromise — trojanized npm fork
T1036.005Masquerading — mimics Baileys directory structure
T1027Obfuscated Files — 86KB javascript-obfuscator payload

Tags

TrojanWhatsAppBaileysForkObfuscated

Full Report

Trojanized Baileys Fork: baileys-kawe@1.0.6

TL;DR

Trojanized fork of the popular Baileys WhatsApp Web API library. Contains an 86KB obfuscated payload hidden at a path that mimics the legitimate Baileys directory structure.

Package Info

  • Name: baileys-kawe@1.0.6
  • Registry: npm
  • Published: 2026-04-03

Analysis

Payload Location

The malicious code is injected at lib/Signal/Group/index/_internal.js — a path designed to look like part of Baileys' legitimate Signal protocol implementation. The real Baileys library has files under lib/Signal/ making this addition blend in during casual review.

Obfuscation

The payload is 86KB of javascript-obfuscator output with:

  • Hex-encoded variable names (_0x pattern)
  • String array rotation
  • Self-defending code blocks
  • Anti-debugging traps

Attack Technique

This is a classic trojanized fork attack — the attacker clones a popular package, adds a malicious payload in a location that mimics the original directory structure, and publishes under a similar name. Developers who install baileys-kawe instead of @whiskeysockets/baileys get a functionally identical library with a hidden backdoor.

IOCs

  • Package: baileys-kawe@1.0.6
  • Malicious file: lib/Signal/Group/index/_internal.js (86KB obfuscated)
  • Pattern: _0x variable naming (javascript-obfuscator)

MITRE ATT&CK

  • T1195.002 — Supply Chain Compromise (trojanized npm fork)
  • T1036.005 — Masquerading (mimics Baileys directory structure)
  • T1027 — Obfuscated Files (86KB javascript-obfuscator payload)

Credits

Detected by: npm-sentinel automated scanner Verified by: manual code review Date: 2026-04-03

Previous
#019 MCP Injection Campaign Targeting Claude Code and Cursor
Next
#021 Obfuscated Trojan Disguised as MCP Server