Researchers Uncover NodeCordRAT Malware Hidden Inside Malicious npm Packages — A Major Supply Chain Threat

Cybersecurity researchers have uncovered a previously undocumented malware family called NodeCordRAT that was hidden inside malicious Bitcoin-themed npm packages in the npm registry. These packages, which mimicked legitimate open-source libraries, were downloaded thousands of times before being removed in late 2025 — exposing developers and systems to a powerful Remote Access Trojan (RAT) capable of stealing credentials, cryptocurrency keys, API tokens, and more.

The discovery highlights the ongoing danger of software supply chain attacks — where attackers insert malicious code into commonly used code repositories or packages — and underscores how threat actors are increasingly using trusted collaboration platforms like Discord for stealthy command and control (C2) and data exfiltration.

A New Malware Family Emerges in the npm Ecosystem

In November 2025, security analysts at Zscaler ThreatLabz discovered three npm packages — bitcoin-main-lib, bitcoin-lib-js, and bip40 — that had been uploaded to the npm JavaScript registry by a user with the username “wenmoonx”.

These packages were designed to appear harmless at a glance, with names that closely resembled legitimate Bitcoin-related libraries used by developers building cryptocurrency applications. This naming choice is intentional: attackers are leveraging something akin to typosquatting — deceptively similar names — that lure developers into inadvertently installing malicious code.

The npm ecosystem is central to modern JavaScript and Node.js development, and packages published there can be installed with a single command by anyone building apps or tools. When developers install a package with a malicious post-install script defined in its package.json, it can execute code locally on the developer’s machine — without clear warnings or obvious red flags. It was precisely this mechanism that delivered NodeCordRAT.

How NodeCordRAT Infects Systems

The infection process for NodeCordRAT is clever and layered:

1. Malicious npm Package Structure

The two entry-point packages — bitcoin-main-lib and bitcoin-lib-js — contain a crafted postinstall.cjs script. This script is automatically executed by npm after the package is installed. The script, in turn, installs the bip40 package — the only one that actually contains the malicious payload.

This sort of delivery chain — where a seemingly innocent package chains into another dependency — makes detection harder because the final malicious code isn’t present until after installation completes. It also disguises the threat as a legitimate development dependency.

2. NodeCordRAT Deployment

Once bip40 runs, it executes the NodeCordRAT malware. The malware is a fully featured Remote Access Trojan (RAT) that:

• Executes arbitrary shell commands on the infected system
• Captures full screenshots
• Uploads specified files back to attackers
• Exfiltrates stolen data through Discord’s infrastructure

These capabilities are invoked through simple text-based commands that NodeCordRAT’s operator can send via the Discord platform — making Discord act as the malware’s command-and-control channel.

Discord as Command & Control: The Clever Twist

NodeCordRAT doesn’t use a traditional C2 server that must be hosted on malicious infrastructure and constantly updated; instead, it abuses Discord — a popular collaboration platform — as a covert control channel.

Here’s how it works:

• The malware contains a hard-coded Discord token and server IDs.
• This token authenticates it to a private Discord server controlled by the attacker.
• Commands sent to the Discord channel are parsed by the malware, which then executes them locally.
• Exfiltrated data — such as screenshots or sensitive files — are sent back through Discord’s REST API (/channels/{id}/messages) as attachments.

Using Discord this way has several benefits for attackers:

• It looks like legitimate traffic to many network defenses.
• Discord uses HTTPS, making it hard to distinguish benign chats from malicious payload traffic.
• The malware’s network communication blends into a platform already widely trusted and used by developers.

This approach is becoming more common in malware design because cloud-based platforms and collaboration tools offer camouflage and resilience against simple blocking or takedowns.

Cross-Platform Targeting and Malware Capabilities

NodeCordRAT is designed to run across multiple operating systems — including Windows, macOS, and Linux — because it is built on Node.js, a cross-platform runtime that npm supports natively.

Once NodeCordRAT executes on an infected system, it fingerprints the host and generates a unique identifier. This allows the malware to track infections across diverse environments and maintain persistent control from the attacker’s Discord channel.

Data Theft Capabilities

The malware’s primary objective is data theft and remote manipulation. Specifically, it can:

• Steal Google Chrome credentials (login information stored in the browser).
• Collect API tokens — potentially exposing access keys for cloud services or developer tools.
• Harvest seed phrases and secret keys from popular cryptocurrency wallets such as MetaMask.

These abilities pose severe privacy and financial risks, especially for developers, cryptocurrency users, or anyone storing sensitive authentication material on their machines.

Why This Threat Matters: Supply Chain Risks

This NodeCordRAT campaign underscores the critical threat posed by software supply chain attacks, where attackers compromise tools that developers trust and build upon. Supply chain security has been a top cybersecurity concern for years, and this incident demonstrates just how low friction such attacks can be when malicious code reaches a widely used registry.

Package registries like npm, PyPI, and others are among the most common targets because they provide developers around the world with open-source building blocks. Attackers can simply upload a malicious package, wait for downloads, and then trigger an infection chain whenever someone installs it.

Complicating matters further is the ease with which attackers can use names closely resembling trusted libraries, increasing the likelihood that even experienced developers might install them by mistake. This technique is similar to typosquatting but aimed specifically at confusing dependency resolution.

Detection and Mitigation Strategies

While npm has removed the three malicious packages from its registry, the threat persists as attackers could upload similar packages in the future. Here are key strategies for mitigating such risks:

1. Vet Dependencies Carefully

Developers should always verify package names and authorship before installing new dependencies — especially for packages that claim to be related to well-known ecosystems like BitcoinJS. Cross-referencing package metadata with official documentation and GitHub repositories can help detect anomalies.

2. Monitor Post-Install Scripts

Security teams should pay careful attention to post-install scripts defined in package.json files, since these can run arbitrary code on installation and are a common vector for supply chain malware.

3. Use Dependency Scanning Tools

Automated tools that scan for known malicious packages and unusual script behavior can alert developers before harmful code reaches production. Dependency vulnerability scanners and Software Bill of Materials (SBOM) tools are crucial in development pipelines.

4. Network Monitoring for Anomalies

Given NodeCordRAT’s use of Discord’s API for C2, network defenses should be tuned to detect unusual traffic to and from Discord endpoints that do not align with expected usage patterns in corporate settings.

Wider Context: Open-Source Security and Cryptomarket Risks

This incident isn’t isolated. The npm ecosystem has faced numerous supply chain attacks, including prior campaigns where malicious packages were used to deliver malware or steal credentials across multiple platforms. These events highlight a persistent cybersecurity challenge in open-source communities — one that is exacerbated by the sheer number of packages and contributors.

The fact that NodeCordRAT specifically targets cryptocurrency wallet seed phrases and browser credentials adds a financial dimension to the threat, as stolen keys can be used directly for theft from victims’ digital assets.

Conclusion: A Clear Supply Chain Warning

The discovery of NodeCordRAT hidden in malicious npm packages serves as a powerful reminder that software supply chain security is non-negotiable in today’s digital ecosystem. Even widely adopted package registries can be abused to replace trusted components with malware distributors, putting developers, enterprises, and end users at risk.

Ensuring robust dependency vetting, leveraging automated scanning tools, monitoring runtime network behavior, and educating development teams about supply chain threats are essential defensive measures to guard against similar attacks in the future.

As attackers innovate with cross-platform malware like NodeCordRAT and leverage popular platforms such as Discord for covert control, the cybersecurity community will need to keep pace with ever more sophisticated supply chain attacks.