The lotusbail npm package presents itself as a WhatsApp Web API library - a fork of the legitimate @whiskeysockets/baileys package. With over 56,000 downloads and functional code that actually works as advertised, it's the kind of dependency developers install without a second thought. The package has been available on npm for 6 months and is still live at the time of writing.Behind that working functionality: sophisticated malware that steals your WhatsApp credentials, intercepts every message,...