InfoWorld

WhatsApp API worked exactly as promised, and stole everything

Malicious npm package posing as a WhatsApp Web API library operated for months as a functional dependency while stealing ...
The Register on MSN

Poisoned WhatsApp API package steals messages and accounts

And it's especially dangerous because the code works A malicious npm package with more than 56,000 downloads masquerades as a working WhatsApp Web API library, and then it steals messages, harvests ...