Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages

Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages

Posted on By CWS

Jan 08, 2026Ravie LakshmananMalware / Cloud Safety
Cybersecurity researchers have found three malicious npm packages which can be designed to ship a beforehand undocumented malware referred to as NodeCordRAT.
The names of the packages, all of which have been taken down as of November 2025, are listed beneath. They have been uploaded by a person named “wenmoonx.”

“The bitcoin-main-lib and bitcoin-lib-js packages execute a postinstall.cjs script throughout set up, which installs bip40, the package deal that comprises the malicious payload,” Zscaler ThreatLabz researchers Satyam Singh and Lakhan Parashar mentioned. “This remaining payload, named NodeCordRAT by ThreatLabz, is a distant entry trojan (RAT) with data-stealing capabilities.”
NodeCordRAT will get its title from using npm as a propagation vector and Discord servers for command-and-control (C2) communications. The malware is supplied to steal Google Chrome credentials, API tokens, and seed phrases from cryptocurrency wallets like MetaMask.

In accordance with the cybersecurity firm, the risk actor behind the marketing campaign is assessed to have named the packages after actual repositories discovered inside the legit bitcoinjs mission, equivalent to bitcoinjs-lib, bip32, bip38, and bip38.
Each “bitcoin-main-lib” and “bitcoin-lib-js” embrace a “package deal.json” file that options “postinstall.cjs” as a postinstall script, resulting in the execution of “bip40” that comprises the NodeCordRAT payload.

The malware, apart from fingerprinting the contaminated host to generate a singular identifier throughout Home windows, Linux, and macOS programs, leverages a hard-coded Discord server to open a covert communication channel to obtain directions and execute them –

!run, to execute arbitrary shell instructions utilizing Node.js’ exec operate
!screenshot, to take a full desktop screenshot and exfiltrate the PNG file to the Discord channel
!sendfile, to add a specified file to the Discord channel

“This information is exfiltrated utilizing Discord’s API with a hardcoded token and despatched to a non-public channel,” Zscaler mentioned. “The stolen recordsdata are uploaded as message attachments by way of Discord’s REST endpoint /channels/{id}/messages.”

The Hacker News Tags:, , , , , ,

Related Posts

INTERPOL’s Cybercrime Crackdown Nets 651 Arrests in Africa INTERPOL’s Cybercrime Crackdown Nets 651 Arrests in Africa The Hacker News
Two Chrome Extensions Caught Stealing ChatGPT and DeepSeek Chats from 900,000 Users Two Chrome Extensions Caught Stealing ChatGPT and DeepSeek Chats from 900,000 Users The Hacker News
India Orders Messaging Apps to Work Only With Active SIM Cards to Prevent Fraud and Misuse India Orders Messaging Apps to Work Only With Active SIM Cards to Prevent Fraud and Misuse The Hacker News
Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads The Hacker News
Securing Data in the AI Era Securing Data in the AI Era The Hacker News
Think Your IdP or CASB Covers Shadow IT? These 5 Risks Prove Otherwise Think Your IdP or CASB Covers Shadow IT? These 5 Risks Prove Otherwise The Hacker News