# [CRIT] [GHSA / CRITICAL] CVE-2026-48063: Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload **Source:** GitHub Security Advisories **Published:** 2026-06-10 **Article:** https://github.com/advisories/GHSA-qvv5-jq5g-4cgg ## Threat Profile Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload ### Impact Any baileys session under the latest version (< 7.0.0-rc12, and < 6.7.22) can be sent a malicious payload via the placeholderResendMessage and trigger a fake `messages.upsert` event with a **fake message key and payload**. This allows anyone to spoof messages. The same exploit also allows an attacker to corrupt the app state sync system by sending fake key s… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-48063` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1195.001** — Compromise Software Dependencies and Development Tools - **T1565.001** — Stored Data Manipulation - **T1566** — Phishing - **T1059.007** — Command and Scripting Interpreter: JavaScript ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Vulnerable Baileys npm package present on disk (CVE-2026-48063) `UC_57_1` · phase: **weapon** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name="package.json" (Filesystem.file_path="*\\node_modules\\baileys\\*" OR Filesystem.file_path="*\\node_modules\\@whiskeysockets\\baileys\\*" OR Filesystem.file_path="*/node_modules/baileys/*" OR Filesystem.file_path="*/node_modules/@whiskeysockets/baileys/*") by Filesystem.dest Filesystem.file_path Filesystem.process_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql // CVE-2026-48063 — Baileys vulnerable package on-disk inventory DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated", "FileModified", "FileRenamed") | where FileName =~ "package.json" | where FolderPath has @"\node_modules\baileys\" or FolderPath has @"\node_modules\@whiskeysockets\baileys\" or FolderPath has "/node_modules/baileys/" or FolderPath has "/node_modules/@whiskeysockets/baileys/" | summarize FirstSeen = min(Timestamp), LastSeen = max(Timestamp), Installers = make_set(InitiatingProcessFileName, 10), InstallCmds = make_set(InitiatingProcessCommandLine, 5) by DeviceName, FolderPath | order by FirstSeen asc ``` ### npm/yarn/pnpm install or upgrade of Baileys package `UC_57_2` · phase: **install** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("npm.exe","yarn.exe","pnpm.exe","node.exe","npm","yarn","pnpm","node","npm-cli.js")) AND (Processes.process="*baileys*" OR Processes.process="*@whiskeysockets/baileys*") AND (Processes.process="*install*" OR Processes.process="* add *" OR Processes.process="* i *" OR Processes.process="*update*" OR Processes.process="*upgrade*") by Processes.dest Processes.user Processes.process Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql // CVE-2026-48063 — Baileys npm install / upgrade hunt DeviceProcessEvents | where Timestamp > ago(30d) | where FileName in~ ("npm.exe","yarn.exe","pnpm.exe","node.exe","npm","yarn","pnpm","node") or InitiatingProcessFileName in~ ("npm.exe","yarn.exe","pnpm.exe","node.exe","npm","yarn","pnpm","node") | where ProcessCommandLine has "baileys" or InitiatingProcessCommandLine has "baileys" | where ProcessCommandLine has_any ("install"," add "," i ","update","upgrade") or InitiatingProcessCommandLine has_any ("install"," add "," i ","update","upgrade") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName | order by Timestamp desc ``` ### Baileys messages.upsert event carrying a requestId field (exploit signature) `UC_57_3` · phase: **actions** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl index=* (sourcetype IN ("nodejs","node","pm2","syslog","linux:journald","linux_secure") OR source IN ("*baileys*","*whatsapp*")) ("messages.upsert" AND "requestId") AND ("placeholderResendMessage" OR "protocolMessage" OR "messages.upsert") | stats count min(_time) as firstTime max(_time) as lastTime values(host) as hosts values(source) as sources by sourcetype | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-48063` ## Why this matters Severity classified as **CRIT** based on: CVE present, 4 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.