Unveiling NodeCordRAT: Malicious npm Packages Targeting Cryptocurrency Enthusiasts
In a recent cybersecurity revelation, researchers have identified three malicious npm packages designed to deploy a previously undocumented malware named NodeCordRAT. These packages, uploaded by a user under the alias wenmoonx, have since been removed from the npm repository as of November 2025. The packages in question are:
– bitcoin-main-lib (2,300 downloads)
– bitcoin-lib-js (193 downloads)
– bip40 (970 downloads)
The primary function of these packages was to execute a `postinstall.cjs` script during installation. This script facilitated the installation of the `bip40` package, which harbored the NodeCordRAT payload. According to Zscaler ThreatLabz researchers Satyam Singh and Lakhan Parashar, This final payload, named NodeCordRAT by ThreatLabz, is a remote access trojan (RAT) with data-stealing capabilities.
Understanding NodeCordRAT
NodeCordRAT derives its name from its propagation method via npm and its utilization of Discord servers for command-and-control (C2) communications. The malware is adept at extracting sensitive information, including:
– Google Chrome credentials
– API tokens
– Seed phrases from cryptocurrency wallets like MetaMask
The threat actor behind this campaign strategically named the malicious packages to resemble legitimate repositories within the authentic bitcoinjs project, such as bitcoinjs-lib, bip32, and bip38. This tactic aims to deceive developers into inadvertently installing the compromised packages.
Technical Breakdown
Both bitcoin-main-lib and bitcoin-lib-js contain a `package.json` file that specifies `postinstall.cjs` as a post-installation script. Executing this script triggers the installation of bip40, which houses the NodeCordRAT payload.
Once deployed, NodeCordRAT performs the following actions:
1. Host Fingerprinting: The malware collects system information to generate a unique identifier for the infected host, applicable across Windows, Linux, and macOS platforms.
2. Establishing C2 Communication: It connects to a hard-coded Discord server, creating a covert channel to receive and execute commands.
3. Command Execution: NodeCordRAT can process specific commands, including:
– `!run`: Executes arbitrary shell commands using Node.js’ `exec` function.
– `!screenshot`: Captures a full desktop screenshot and transmits the PNG file to the Discord channel.
– `!sendfile`: Uploads a specified file to the Discord channel.
The exfiltrated data is sent using Discord’s API with a hardcoded token, directed to a private channel. Stolen files are uploaded as message attachments via Discord’s REST endpoint `/channels/{id}/messages`.
Implications and Preventative Measures
The discovery of NodeCordRAT underscores the persistent threats within open-source ecosystems, particularly targeting the cryptocurrency sector. Developers and users are urged to exercise caution when integrating third-party packages. Best practices include:
– Vetting Packages: Thoroughly review the source and credibility of npm packages before installation.
– Monitoring Dependencies: Regularly audit project dependencies for any unauthorized or suspicious updates.
– Implementing Security Tools: Utilize security tools that can detect and alert on anomalous behaviors within installed packages.
By adopting these measures, the risk of inadvertently introducing malicious code into development environments can be significantly reduced.
