Jan 08, 2026Ravie LakshmananMalware / Cloud Safety
Cybersecurity researchers have found three malicious npm packages which can be designed to ship a beforehand undocumented malware referred to as NodeCordRAT.
The names of the packages, all of which have been taken down as of November 2025, are listed beneath. They have been uploaded by a person named “wenmoonx.”
“The bitcoin-main-lib and bitcoin-lib-js packages execute a postinstall.cjs script throughout set up, which installs bip40, the package deal that comprises the malicious payload,” Zscaler ThreatLabz researchers Satyam Singh and Lakhan Parashar mentioned. “This remaining payload, named NodeCordRAT by ThreatLabz, is a distant entry trojan (RAT) with data-stealing capabilities.”
NodeCordRAT will get its title from using npm as a propagation vector and Discord servers for command-and-control (C2) communications. The malware is supplied to steal Google Chrome credentials, API tokens, and seed phrases from cryptocurrency wallets like MetaMask.
In accordance with the cybersecurity firm, the risk actor behind the marketing campaign is assessed to have named the packages after actual repositories discovered inside the legit bitcoinjs mission, equivalent to bitcoinjs-lib, bip32, bip38, and bip38.
Each “bitcoin-main-lib” and “bitcoin-lib-js” embrace a “package deal.json” file that options “postinstall.cjs” as a postinstall script, resulting in the execution of “bip40” that comprises the NodeCordRAT payload.
The malware, apart from fingerprinting the contaminated host to generate a singular identifier throughout Home windows, Linux, and macOS programs, leverages a hard-coded Discord server to open a covert communication channel to obtain directions and execute them –
!run, to execute arbitrary shell instructions utilizing Node.js’ exec operate
!screenshot, to take a full desktop screenshot and exfiltrate the PNG file to the Discord channel
!sendfile, to add a specified file to the Discord channel
“This information is exfiltrated utilizing Discord’s API with a hardcoded token and despatched to a non-public channel,” Zscaler mentioned. “The stolen recordsdata are uploaded as message attachments by way of Discord’s REST endpoint /channels/{id}/messages.”
