Cybersecurity researchers discovered three malicious npm packages designed to deliver previously undocumented malware called NodeCordRAT.
Below are the names of all removed packages as of November 2025. These were uploaded by a user named ‘wenmoonx’.
“The bitcoin-main-lib and bitcoin-lib-js packages run a postinstall.cjs script during installation, which installs bip40, a package containing a malicious payload,” said Satyam Singh and Lakhan Parashar, researchers at Zscaler ThreatLabz. “This final payload, named NodeCordRAT by ThreatLabz, is a remote access Trojan (RAT) with data-stealing capabilities.”
NodeCordRAT’s name comes from its use of npm as a propagation vector and Discord server for command and control (C2) communication. This malware has the ability to steal Google Chrome credentials, API tokens, and seed phrases from cryptocurrency wallets such as MetaMask.
According to the cybersecurity firm, the attackers behind the campaign are credited with naming their packages after actual repositories found within the legitimate bitcoinjs project, such as bitcoinjs-lib, bip32, bip38, and bip38.
Both “bitcoin-main-lib” and “bitcoin-lib-js” include a “package.json” file with “postinstall.cjs” as a post-installation script, leading to the execution of “bip40” containing the NodeCordRAT payload.
The malware fingerprints infected hosts to generate a unique identifier across Windows, Linux, and macOS systems, and utilizes a hardcoded Discord server to open a secret communication channel to receive and execute instructions.
!run, execute any shell command using Node.js’s exec function. !screenshot, takes a complete screenshot of your desktop and extracts the PNG file to your Discord channel. !sendfile, uploads the specified file to a Discord channel.
“This data is extracted using Discord’s API, which includes hard-coded tokens, and sent to a private channel,” Zscaler said. “Stolen files are uploaded as message attachments via Discord’s REST endpoint /channels/{id}/messages.”
Source link
