MAL-2026-4803

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (75b00f1cbf8b88a31654d13fe812fd9201f0b0c92f9ddad31fea59376752a636) This package is a Baileys (WhatsApp Web library) fork that, on every WebSocket connection, silently performs WhatsApp newsletter actions on the consumer's authenticated WhatsApp account driven by a remote, mutable, author-controlled list. In lib/Socket/socket.js, validateConnection() awaits an undocumented socketConnect() helper whose target URL is obfuscated as a String.fromCharCode array decoding to https://raw.githubusercontent.com/Fhkryyy/Fhkry/refs/heads/main/elf.json. After a 200ms delay, the code iterates the fetched JSON and issues w:mex IQ queries with query_id 7871414976211147 and newsletter_id mutations against the user's session. A second helper generateMessageV base64+XOR(23)-decodes the string '@newsletter' and is wired to the same hardcoded query_id 7871414976211147 — two independent obfuscated paths whose sole purpose is to hide newsletter-mutation behavior. The remote list is fetched from a mutable `main` branch with no integrity check, so the author can change which newsletters every consumer's WhatsApp session follows at any time. Any application that requires this fork and calls makeWASocket() becomes an unwitting newsletter-amplification node for the attacker. Additional context: requestPairingCode() defaults customPairingCode to 'FHKRY666' (matches author's GitHub handle Fhkryyy and README Telegram link), confirming single-author attribution; deliberate String.fromCharCode and base64+XOR obfuscation of the URL and '@newsletter' string is conclusive evidence of intent to hide the behavior from consumers reading the source.