—

MAL-2026-4806

Malicious code in shizukyu (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (31c8d6ffda18d74aa3d25ab3804e721a72dc385d89f2742d7c9e967919b27449) The package exports a single function shizukuCh(socket) that accepts a caller's authenticated Baileys WhatsApp socket and invokes socket.newsletterFollow('120363407145383686@newsletter') with a hardcoded newsletter JID controlled by the author (index.js:4). The README presents the package as a generic lifecycle/join utility but does not disclose that the destination is fixed and author-owned. Any consumer who wires this into their connection.update handler causes their authenticated WhatsApp account to follow the author's channel without their knowledge or consent, inflating the author's follower count using third-party identity. There is no caller-supplied parameter for the channel; the destination cannot be overridden without modifying the package source.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / shizukyu

No fixed version published yet for shizukyu (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/shizukyu/v/1.0.1 [PACKAGE]