Cybersecurity experts have uncovered three malicious npm (Node Package Manager) packages linked to a new and sophisticated form of malware named NodeCordRAT. These packages, identified as “bitcoin-main-lib” and “bitcoin-lib-js,” were formulated by a user known as “wenmoonx” and were removed from the platform in November 2025.
Upon installation, these packages execute a script called postinstall.cjs, which in turn installs a package named bip40. This package acts as the vessel for the malicious payload that effectively operates as a remote access trojan (RAT), capable of stealing sensitive information from infected systems. According to researchers from Zscaler ThreatLabz, NodeCordRAT is particularly dangerous due to its capacity to extract credentials from Google Chrome, API tokens, and seed phrases from cryptocurrency wallets, including popular platforms like MetaMask.
The naming of these malicious packages mirrors legitimate repositories within the recognized bitcoinjs project, including bitcoinjs-lib and various bip packages. This tactic may serve to deceive unsuspecting developers into installing the malicious software, believing it to be legitimate.
Technical analysis reveals that both “bitcoin-main-lib” and “bitcoin-lib-js” include a package.json file containing the postinstall script that activates the NodeCordRAT payload. Once infiltrated, the malware generates a unique identifier that fingerprints the infected host, allowing it to operate across various operating systems including Windows, Linux, and macOS.
NodeCordRAT maintains communication with its command-and-control (C2) server through a hard-coded Discord server, enabling it to receive and execute remote instructions. The malware can execute commands such as:
- !run: to run arbitrary shell commands via Node.js’ exec function,
- !screenshot: to capture a full desktop screenshot and send the resulting PNG file to the designated Discord channel, and
- !sendfile: to upload specific files to the same channel.
The exfiltration of stolen data utilizes Discord’s API, involving a hardcoded access token that allows the malware to transmit information to private channels. The stolen files are uploaded as message attachments through Discord’s REST endpoint, thereby creating a discreet channel for illicit activities.
The discovery of NodeCordRAT highlights ongoing risks in the cybersecurity landscape, particularly concerning open-source software repositories such as npm. Developers and organizations are urged to exercise vigilance when integrating third-party packages and to regularly audit their codebases for any suspicious activity.
