- Manyepo e npm fork eBaileys WhatsApp Web API, akaburitswa se lotusbail, akadhawunirodhwa kanopfuura zviuru makumi mashanu nezvitanhatu (56,000).
- Pakeji iyi inoputira mutengi weWebSocket wepamutemo kuti aba ma token, makiyi emusangano, mameseji, vanhu vaunosangana navo uye midhiya kumashure.
- Varwisi vanobatanidza chinyararire mudziyo wavo neakaundi yeWhatsApp yemunhu anenge akuvadzwa, vachichengetedza mukana wekupinda kunyangwe pasuru yacho yabviswa.
- Vatsvaguriri veKoi Security vanokurudzira vagadziri kuti vaongorore kutsamira kwenpm uye vatarise maitiro ekushanda kwefoni kuti vaone kurwiswa kwe "supply-chain".
Chinhu chinoratidzika sechisina njodzi npm package yakashambadzirwa semubatsiri weWhatsApp Web API yakabatwa ichitora machat, vanhu vaunosangana navo uye ichiwana ma access certificate kubva kuvagadziri vasingafungidziri nevashandisi vavo. Raibhurari iyi, yakaburitswa nezita rekuti "lotusbail", yakaramba iripo kwemwedzi yakati wandei panpm registry yepamutemo uye yakakwanisa kuunganidza mavhidhiyo anodarika 56,000 isati yanyatsoongororwa.
Zvinoenderana nezvinyorwa zvakawanda zvakazvimirira uye kuferefeta kwakadzama kwakaitwa ne Koi Security, pasuru iyi inoita sechishandiso cheWhatsApp automation chakajairika pamusoro, asi kumashure kwayo inobatirira meseji yega yega, inounganidza ruzivo rweakaundi uye inoita kuti pave ne backdoor inogara iripo kukuvadza maakaundi eWhatsApp. Nekuti hunhu hwakashata hwakabatana nekushanda kwepamutemo, mapurojekiti mazhinji angadai akabatanidza izvi pasina kuona kuti pane chakaipa.
Kuti package yeWhatsApp Web API yenhema yakapinda sei muNpm
Raibhurari iyi yakaipa yakaonekwa paNpm muna Chivabvu 2025, yakaiswa nemushandisi anopfuura “seiren_primrose” uye yakatsanangurwa seAPI iri nyore kushandisa paWhatsApp Web. Pasi pehood, i forogo yepurojekiti inozivikanwa ye open source @whiskeysockets/baileys, raibhurari yeTypeScript/JavaScript inopa WebSocket based API yekuvaka marobhoti uye otomatiki pamusoro peWhatsApp Web.
Nekunyatsotevedzera maitiro nemaitiro aBaileys paruzhinji, munhu anotyisidzira akavimbisa kuti Vagadziri vanogona kuisa pasuru iyi muma workflows aripo nekuchinja kushomaMagwaro nemazita zvakagadzirwa kuti zviite sezviri pamutemo, zvichideredza mikana yekuti mapoka akabatikana angave nemubvunzo wekwakabva, kunyanya tichifunga kuti nhamba dzekushandisa npm dzinowanzo shanda sei senzira yekuvimba.
Kwenguva inosvika hafu yegore, pasuru iyi yakaungana Kupfuura 56,000 zvese zvakaiswa uye mazana ekudhawunirodha vhiki nevhikiMunguva iyoyo yakaramba ichitsvakwa uye ichiiswa kubva kurejista yepamutemo, zvichiita kuti ive njodzi yekugovera zvinhu yakanyarara kune chero application yaibatanidza mashandiro eWhatsApp kuburikidza neJavaScript.
Vatsvaguri vanosimbisa kuti hapana chakatadzisa kuburitswa kwenhau dzenpm pakombiyuta iyi: chero mushandisi anogona kuburitsa pakeji ine zita rinonzwika serenyanzvi, kukopa API yepurojekiti inozivikanwa uye nekukasika kuona zviri kuitika Munharaunda. Izvozvo ndizvo chaizvo zvakashandiswa nevapanduki munyaya iyi.
Kushandisa WebSocket client zvisina kunaka kutora data reWhatsApp
Chinhu chikuru chekurwiswa kwacho chiri pakuti lotusbail inovhara mutengi weWebSocket wepamutemo anotaura neprotocol yeWhatsApp yewebhuPanzvimbo pekugadzira interface itsva kubva pakutanga, package iyi inoisa mudziyo wakagadzirwa zvinoenderana neBaileys WebSocket implementation, zvichibvumira meseji yese inopinda neinobuda kuti ipfuure nepa malware kutanga.
Ongororo yeKoi Security inotsanangura kuti kana mugadziri wezvirongwa angoshandisa WhatsApp kuburikidza neraibhurari iyi, chiputiro chinobva chatora zviratidzo zvekusimbisa uye makiyi emusangano pakarepoKubva ipapo zvichienda mberi, meseji yese inopinda nepainobatanidza - inopinda kana kubuda - inoonekwa zvakajeka kune zvivakwa zvemurwisi.
Kuenzanisa ikoko kunopfuura kungotaura chete. Pakeji yacho yakagadzirwa kuti iite seyakagadzirwa bvisa nhoroondo dzemeseji, runyorwa rwevanhu vaunosangana navo uye mafaira ese enhau akabatanidzwa, kusanganisira mapikicha, mavhidhiyo, ma audio clips uye magwaro. Chaizvoizvo, zvinoita kuti mushandisi ataure zvakafanana: kuti anotaura naani, zvaanotumira uye zvaanogamuchira.
Chinonyanya kukosha ndechekuti hapana chimwe cheizvi chinoputsa maitiro akajairika anotarisirwa nevagadziri. Mabasa epamutemo achiri kuita seanoshanda nemazvo, marobhoti ari kuramba achipindura, maotomatiki ari kushanda sezvaagara achiita uye maWhatsApp anoramba akagadzikana. Marware aya anongowedzera zvakatsanangurwa nemumwe muongorori se "mugamuchiri wechipiri, asingaoneki wezvose", zvichiita kuti kuonekwa nekungotarisa zvisina kurongeka kuve kusingawanzoitiki.
Zvese izvi zvinokonzerwa nekushandiswa kweAPI kwakajairika. Hapana chikonzero chekuti munhu anenge abatwa amhanye mirairo yakawedzerwa kana kugonesa maflags akakosha; kusimbiswa uye kubata meseji nguva dzose zvakakwana kuti zvikwanise kushanda pakusora, ndicho chimwe chezvikonzero nei mushandirapamwe uyu wakakwanisa kushanda usingaonekwe kwemwedzi yakati wandei.
Kupinda muchivande kwemusuwo wekumashure: kubatanidza mudziyo wemurwisi
Kunze kwekubiwa kwedata, lotusbail inounza kugona kwakavanzika: inoburitsa chinyararire inosanganisa mudziyo unodzorwa neanorwisa neakaundi yeWhatsApp yemunhu anenge arwiswaIzvi zvinoshandisa nzira imwecheteyo yekubatanidza zvishandiso zvakawanda iyo vashandisi vepamutemo vanovimba nayo kuti vabatanidze mamwe mafoni kana madesktop kuaccount yavo.
Munguva yekupinda mukati, malware inokonzera maitiro ekubatanidza akavanzika. Vaongorori vanoti kodhi iyi inogadzira tambo ine mavara masere isina kurongeka uye inoiisa mu WhatsApp's device linking mechanism, vachitora nzira yakajairika nekushandisa nzira yekubatanidza ine kodhi yakavanzika iri mupakeji ine njodzi.
Kana kubatana ikoko kwapera, mudziyo wemurwisi unobva wava mumwe mutengi ane mvumo paaccount yaari kuda kushandisa. Kubva ipapo zvichienda mberi, Vanoita zvekutyisidzira vanogona kuverenga nekutumira mameseji, kuona vanhu vaunosangana navo uye kuwana midhiya sekunge ndivo varidzi veakaundi - uye vanogona kuzviita vasina kuvimba nekuti pasuru yekutanga, ine njodzi iripo zvakare.
Izvi ndizvo zvinoita kuti kurwiswa kurambe kuripo. Kunyangwe kana mugadziri wezvinhu ane hanya nekuchengetedzwa anoona kuvimba kwacho kwakashata uye anokubvisa muchirongwa ichi, kutaurirana hakubviswi otomatiki. Kodhi yenpm yakaipa inogona kunge yaenda, asi mudziyo wakabatana wemurwisi unoramba uchishanda kusvika wabviswa pachena pane runyorwa rweWhatsApp rwezviitiko zvinovimbwa.
Nyanzvi dzinosimbisa kuti hunhu uhwu hunoita kuti chiitiko ichi chisave kungori hutachiona hwepakeji chete: inoshandura npm misstep kuita kutora account yakazara iyo inopona kupfuura kucheneswa, uye inogona kuramba ichifumura vashandisi kwenguva yakareba mushure mekunge software yacho yagadziriswa.
Chii chaizvo chinobiwa nemalware - uye kuti inochivanza sei
Zvinyorwa zvehunyanzvi kubva kuKoi Security nevamwe vaongorori zvinopa mufananidzo wakadzama wedata riri kuunganidzwa. Pakeji yelotusbail yakagadzirirwa unganidza zvinhu zvakasiyana-siyana zveWhatsApp zvine hungwaru, kupfuura kungotaura nezvemashoko chete.
Pakati pezvinhu zvakanangwa pane zviratidzo zvekusimbisa, makiyi emusangano uye makodhi ekuwiriranisa inoshandiswa kuchengetedza hukama pakati pevatengi nemaseva eWhatsApp. Neaya ari mumaoko, vapambi vanogona kugadzirazve kana kuchengetedza nguva kunyangwe mimwe michina yakatangwazve kana software ikadzoserwazve.
Iyo malware inodhonzawo runyorwa rwakakwana rwevanhu vaunosangana navo uye nhengo dzeboka, zvichibvumira vanhu vanotyisidzira kuti vagadzire girafu yemagariro evanhu vanobatwa, kuona zvinangwa zvakakosha kana kutendeukira kune mamwe maakaundi. Pamwe chete nezviri mukati memeseji, izvi zvinopa vavengi maonero akafara ehukama, maitiro ebhizinesi uye hurukuro dzepachivande.
Mafaira anochinjirwa paWhatsApp anoonekwawo zvakafanana. Sezvo wrapper ichiona furemu yega yega yeWebSocket, inogona tora metadata uye mitoro yemifananidzo, mavhidhiyo, manotsi ezwi uye magwaro vasati vabviswa magwaro uye vaatumira nemutengi. Zvinhu izvozvo zvinozogadzirirwa kuti zvisvitswe kumaseva anodzorwa nevanorwisa.
Kuti pasave nekuonekwa zviri nyore padanho renetwork, package iyi inoshandisa kushandiswa kwakazara, kwakagadzirirwa kweRSA encryption. Usati wabva munzvimbo yakakanganisika, data rese rakatorwa rinovharwa munharaunda, zvichireva kuti masisitimu ekuona kupinda kwedata kana ma network monitors anovimba ne deep packet inspection achaona ma blobs asina kujeka achienda kunzvimbo dziri kure.
Pamusoro pezvo, iyo malware inosanganisira dziviriro dzekudzivirira matambudziko dzakanangana nekukanganisa vaongorori vekuchengetedzaMishumo inotsanangura pfungwa dzinoona mamiriro ezvinhu akajairika ekugadzirisa kana kuongorora uye dzinopindura nekusundira kodhi mudenderedzwa risingaperi, zvichinyatsovhara maitiro uye zvichiita kuti kuongororwa kwesimba kuve kwakaoma zvikuru.
Njodzi inogara iripo kunyangwe mushure mekuburitsa package ye npm
Chimwe chezvinhu zvinopesana nechiitiko ichi ndechekuti Kubvisa hutachiona kubva kupurojekiti hakungodziviriri maakaundi eWhatsApp akakanganiswa otomatiki. Chinongedzo chinogara chichigadzirwa kuburikidza nemaitiro ekubatanidza chinoita kuti mukana wekurwisa usapfuure mushure mekubviswa.
Mapoka ekuchengetedza anoratidza kuti lotusbail inoshandisa magadzirirwo akaitwa WhatsApp's multi-device model: kana mudziyo wangobatanidzwa zvinobudirira, inoramba ichigamuchira mameseji uye zvinyorwa zvitsva zveakaundi kusvika muridzi azvidzima nemaoko muzvirongwa zveapp. Hapana nguva inodzima otomatiki yakabatana nehupenyu hwepakeji ye npm kana application yekutambira.
Nekuda kweizvozvo, kunyange vagadziri vanoshingaira vanowana nekudzima raibhurari vanogona kusiya vashandisi vavo vachivaisa pachena kana vakasavarairawo kuti ongorora runyorwa rwezvishandiso zvakabatana zviri muWhatsAppChero chikamu chipi zvacho chisingazivikanwe chiri kuoneka pane rondedzero iyoyo chinofanira kubviswa ipapo ipapo.
Vaongorori vanosimbisa kuti pfungwa iyi inochinja mafungiro emasangano nezvekugadzirisa dambudziko. Hazvichakwani kuti bvisa kodhi yakaipa kubva pakuvaka mapaipi nemaseva; mhinduro yezviitiko inofanirawo kusvika kune ecosystem yeapplication iyo kodhi yakabatana nayo - muchiitiko ichi, maakaundi eWhatsApp akabatana nemisangano yakakanganisika.
Mukutaura zvazviri, mapurojekiti akanganiswa angangoda zivisa vashandisi uye tenderedza marekodhi eWhatsApp, gadzirisazve zvidzidzo kuburikidza nezvishandiso zvinozivikanwa zvakanaka uye simbisa kuti hapana michina inodzorwa nevanorwisa ichiri mvumo pane chero account inoshandiswa mukugadzira kana kuyedza.
Ndiani akafumura lotusbail uye kuti yakaferefetwa sei
Mushandirapamwe uyu wakabuda pachena nekuda kwe Koi Security, inotungamirwa nemuongorori Tuval Admoni, iyo yakaburitsa tsananguro yakadzama yemaitiro epakeji iyi. Mamwe mashoko kubva kumuongorori Idan Dardikman yakabatsira kujekesa kuti malware inoita sechivharo chakajeka chakakomberedza WebSocket client, ichitanga kushanda kana kusimbiswa kwakajairika uye kuyerera kwemashoko kwatanga.
Admoni akapfupikisa kutyisidzira uku nemashoko asina kujeka: Pakeji yacho inoba matsamba eWhatsApp, inobatirira meseji yese, inounganidza vanhu vanobatana nayo, inoisa backdoor inogara iripo uye inovharira zvese isati yatumira. kune server inodzorwa nemuvengi. Musanganiswa iwoyo wekuvanda, hupamhi uye kutsungirira ndizvo zvinoita kuti izvi zvisave dambudziko guru kuenda kune dambudziko guru rekutengesa.
Kuongorora kwakasimba chete kwakaratidza kusakwana kuratidza njodzi. Nekuti codebase inoburitsa ma interface akafanana uye maitiro ekutanga semaraibhurari ari pamutemo, Zviratidzo zvinoenderana nemukurumbira zvakaita sekuverengwa kwezvidhawunirodhi, nyeredzi dzakanyorwa kana kunyorwa kwemavara hazvinyanyi kusiyanisa izvi nekushandisa maturusi chaiwo.Pakeji iyi yakakwanisa kugara pachena pasinei nekuwedzera kwayo kwakaipa.
Vaongorori vakataurawo kuti matekiniki ekudzivirira kuongorora akavakirwa mu malware akadzikisa simba re reverse engineering, zvichida kuti zvishandiso zvive zvakanyatsonaka uye sandboxing kuti zvinyatsoratidza kugona kwayo. Pakazoburitswa mushumo, mushandirapamwe uyu wakanga watove nemwedzi yakati wandei yekushanda.
Nyaya iyi yakakurumidza kupinda mune runyorwa rwuri kukura rwekurwiswa kwakavakirwa panpm kunoratidza kuti sei nzvimbo dzekunyoresa ma package akazaruka dzava nzvimbo huru yekutyisidzirwa kwekutengesa zvinhuKunyange zvazvo mapuratifomu achigona kuita chimwe chinhu nekukanda mapakeji anozivikanwa asina kunaka, mutoro wekutanga wekuona unowanzo kuve pamapoka ekuchengetedza akazvimiririra nevagadziri vakangwarira.
Kuwanda kwevagadziri vema malware anotarisana nekutengesa zvinhu
Kuwanikwa kwe lotusbail kwakabatana nekuburitswa pachena kwe mamwe mapakeji ane hukasha akagadzirirwa vagadziri ve ecosystems, zvichiratidza kuti chiitiko ichi chikamu chemaitiro akakura kwete chimwe chinhu chisingawanzoitika kamwe chete.
Mukutsvagurudza kwakafanana, kambani yekuchengetedza ReversingLabs yakatsanangura boka re Mapakeji gumi nemana eNuGet asina hunhu anotevedzera Nethereum nemamwe maraibhurari ane chekuita necryptocurrency munyika ye.NET. Kufanana neWhatsApp npm case, mapakeji aya akagadzirwa kuti asanganiswe nematurusi epamutemo anoshandiswa nevagadziri vanoshanda neblockchain nemidziyo yedhijitari.
Zvichienderana nezvakawanikwa izvi, mapakeji eNuGet mari yakadzoserwa kubva pakutengeserana kwe cryptocurrency kuenda kuma wallets anodzorwa nevapambi kana kubvisa makiyi epachivande nemitsara yembeu chinyararire pese painoshandiswa mari inodarika madhora zana ekuAmerica. Mazita emapakeji akadai sekuti “binance.csharp”, “Bitcoin Core”, “bitapi.net”, “coinbase.api.net”, “googleads.api”, “nbitcoin.unified”, “nethereumnet”, “nethereumunified”, “nethereum.all”, “solananet”, “solnetall”, “solnetall.net”, “solnetplus” uye “solnetunified” akagadzirwa kuti aratidze maturusi nemasevhisi anozivikanwa.
Kuti vavake kuvimbana, vanobata maraibhurari aya vanonzi nhamba dzekurodha dzakakwidziridzwa uye dzakasimudzira zvidzoreso kakawanda kutevedzera kuchengetedza uye kufarirwa kuri kuitwa. Iyi social engineering layer inoratidza nzira iyo lotusbail yaivimba nayo nekuonekwa kwaNpm uye mukurumbira weBaileys project kuti iwane simba.
Nyanzvi dzemapoka ese ari maviri ekutsvagisa dzinobvumirana pane imwe pfungwa: Kurwiswa kwevagadziri vezvigadzirwa hakusi kupera; kuri kuwedzera kuomararaVavengi vakadzidza kunanga chaizvo zvishandiso zvinotsigirwa nemainjiniya zuva nezuva, kungave pakubatanidza mameseji, mashandiro emari kana zvivakwa zvemazuva ese.
Nei dziviriro dzechinyakare dzichinetseka nekutyisidzirwa kwenpm supply chain
Lotusbail inoratidzawo miganhu yedziviriro dziripo pari zvino dzinoshandiswa kuchengetedza mapaipi esoftware. Nzira dzechinyakare dzakadai se kuongorora kodhi isingachinji, kunyora zvinyorwa, kutarisa masiginecha zviri nyore uye metrics yemukurumbira vanowanzo gadziriswa kuti vaone zviratidzo zvinooneka, asi vanogona kupotsa nyore nyore pfungwa dzisina kunaka dziri mumapakeji anoshanda.
Nekuti raibhurari inoshandisa zvizere nzvimbo inotarisirwa yeWhatsApp Web API, zvishandiso zvinongoerekana zvachinja zvishoma zvinogona kuona forogo yenzvimbo inozivikanwa zvakanaka.Kunyangwe kuongororwa nemaoko kungasaratidza njodzi yacho nekukasika, kunyanya kana kodhi inokuvadza yakabatana nemaitiro epamutemo ekubatanidza mashoko uye encryption.
Masisitimu ane mukurumbira haana kunaka pano. Masangano mazhinji anoenzanisa zvinhu nenzira isingafungidzike kudhawunirodha kwakawanda uye kugadziridzwa kwakawanda nekuchengetedzeka, asi muchiitiko ichi zviratidzo izvozvo zvaiunganidzwa zvechisikigo nekufamba kwenguva kana kuti zvaigona kusimbiswa neanorwisa. Kufarirwa hakuvimbisi kuvimbika kana chero munhu achigona kuburitsa pakeji yakafanana netsananguro inogutsa.
Layer yekudzivirira kugadzirisa matambudziko inowedzera kuoma kuongorora kwakasimba. Kana package yangoona kuti iri ichishanda pasi pemidziyo kana kuti yakabatana ne debugger uye yobva yakonzera zvishwe zvisingaperi kana kupwanyika, mabhokisi ejecha anongoerekana aita zvinhu anonetseka kuwana hunhu hwakakwana. Izvozvo zvinononotsa kugadzirwa kwemasaini uye kuburitswa pachena.
Matambudziko aya anoratidza kuti pane chikonzero chekuti kutarisa kwakasimba, kwakatarisana nemaitiro munzvimbo dzekugadzira, uko network inofambiswa zvisina kurongeka, maitiro ekuvhara data asingatarisirwi kana mukana wekuwana data usina kujairika zvinogona kuratidzwa kunyangwe kana cheki dzakamira dzichibvumira package pakutanga.
Zvinogona kuitwa nevagadziri vemapurogiramu nemasangano izvozvi
Nyanzvi dzezvekuchengetedza dzakaongorora nyaya ye lotusbail dzakasimbisa kuti Vagadziri vanofanirwa kubata mapakeji evamwe sekodhi isina kuvimbika, kunyangwe kana achibva kumarejista makuru akadai se npmMatanho anoshanda anogona kubatsira kuderedza kusangana nematambudziko akafanana mune ramangwana.
Chekutanga, zvikwata zvinokurudzirwa kuti simbisai mavambo etsika dzakakoshaIzvi zvinosanganisira kutarisa magwaro epamutemo kana nzvimbo dzekuchengetera mabhuku kuti uone mazita emapakeji anokurudzirwa, kusimbisa mazita evaparidzi, uye kusarudza maraibhurari anochengetwa nemasangano agara aripo kana vagadziri vanozivikanwa pese pazvinogoneka.
Chechipiri, nyanzvi dzinokurudzira kuwedzera kutarisa kwekushanda uye kuonekwa kwezvisina kujairika pakubatanidzwa kwakaomarara zvakaita semaAPI ekutumira mameseji, ma module ekubhadhara kana ma cryptographic tooling. Kubatana kusingawanzoitiki, mabasa e encryption asingatarisirwi kana kuyerera kwedata kusingaenderane nemaitiro akanyorwa zvinogona kuva zviratidzo zvekutanga zvekusavimba nevatengi.
Chechitatu, masangano anofanira kuchengetedza nhamba yemapakeji ese echitatu ari kushandiswa uye kutevedzera shanduko nekufamba kwenguvaKupinza mavhezheni, kuongorora ma changelogs uye kuita ongororo dzekuchengetedza usati wagadzirisa zvinhu zvikuru kunogona kubatsira kubata kodhi ine dambudziko isati yasvika pakugadzirwa kwayo.
Chekupedzisira, kana WhatsApp yakabatana neraibhurari yenpm ine njodzi, mhinduro yezviitiko inofanira kupfuura kuchenesa makodhi. Vashandisi vakakanganiswa vanofanira kutungamirirwa ku vhura marongero eWhatsApp, ongorora zvishandiso zvakabatana uye bvisa chero zvikamu zvisingazivikanwiPasina danho iroro, mudziyo wemurwisi wakabatana unogona kuramba uine mukana wakazara wekuwana hurukuro nezviri mukati.
Chikamu che lotusbail chinoshanda sechiyeuchidzo chakananga chekuti kuvimba nepakeji nekuti inoita seinozivikanwa, ine zviuru zvekudhawunirodha kana kutevedzera purojekiti yakakurumbira hazvichakwaniNekuda kwekuti varwisi vari kuramba vachinanga vagadziri vemapurogiramu, kuongorora nekungwarira zvinodiwa nevashandisi uye kunyatsoongorora maitiro ekushandisa nguva yekushanda kwave zvinhu zvakakosha pakuchengetedza maakaundi eWhatsApp - uye maapplication akavakirwa paari - akachengeteka zvechokwadi.
