A malicious npm package posing as a WhatsApp API intercepts messages, steals credentials, and links attacker devices after 56,000 downloads.