India, Dec. 24 -- For most developers, broken code raises alarms. This time, the danger came from code that worked exactly as promised.

A malicious npm package called lotusbail presented itself as a fully functional WhatsApp Web API. It sent messages, received replies, passed tests, and made it into production environments. Behind that clean surface, it quietly intercepted conversations, harvested contacts, and hijacked WhatsApp accounts.

Cybersecurity researchers at Koi Security revealed that the package had already crossed 56,000 downloads, with hundreds more installs happening just days before discovery. The library had been live for six months. During that time, it behaved like a trusted tool while operating as a surveillance pipeli...