dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages

info@thehackernews.com (The Hacker News)
January 8, 2026
Cybersecurity researchers have discovered three malicious npm packages that are designed to deliver a previously undocumented malware called NodeCordRAT. The names of the packages, all of which were taken down as of November 2025, are listed below. They were uploaded by a user named “wenmoonx.” bitcoin-main-lib (2,300 Downloads) bitcoin-lib-js (193 Downloads) bip40 (970 Downloads) “The
Total
0
Shares
0
0
0
[[“value”:”

NodeCordRAT Hidden in npm

Cybersecurity researchers have discovered three malicious npm packages that are designed to deliver a previously undocumented malware called NodeCordRAT.

The names of the packages, all of which were taken down as of November 2025, are listed below. They were uploaded by a user named “wenmoonx.”

“The bitcoin-main-lib and bitcoin-lib-js packages execute a postinstall.cjs script during installation, which installs bip40, the package that contains the malicious payload,” Zscaler ThreatLabz researchers Satyam Singh and Lakhan Parashar said. “This final payload, named NodeCordRAT by ThreatLabz, is a remote access trojan (RAT) with data-stealing capabilities.”

NodeCordRAT gets its name from the use of npm as a propagation vector and Discord servers for command-and-control (C2) communications. The malware is equipped to steal Google Chrome credentials, API tokens, and seed phrases from cryptocurrency wallets like MetaMask.

Cybersecurity

According to the cybersecurity company, the threat actor behind the campaign is assessed to have named the packages after real repositories found within the legitimate bitcoinjs project, such as bitcoinjs-lib, bip32, bip38, and bip38.

Both “bitcoin-main-lib” and “bitcoin-lib-js” include a “package.json” file that features “postinstall.cjs” as a postinstall script, leading to the execution of “bip40” that contains the NodeCordRAT payload.

The malware, besides fingerprinting the infected host to generate a unique identifier across Windows, Linux, and macOS systems, leverages a hard-coded Discord server to open a covert communication channel to receive instructions and execute them –

  • !run, to execute arbitrary shell commands using Node.js’ exec function
  • !screenshot, to take a full desktop screenshot and exfiltrate the PNG file to the Discord channel
  • !sendfile, to upload a specified file to the Discord channel

“This data is exfiltrated using Discord’s API with a hardcoded token and sent to a private channel,” Zscaler said. “The stolen files are uploaded as message attachments via Discord’s REST endpoint /channels/id/messages.”

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

“]] The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Previous Post

OpenAI Launches ChatGPT Health with Isolated, Encrypted Health Data Controls

January 8, 2026
Next Post

Cisco Patches ISE Security Vulnerability After Public PoC Exploit Release

January 8, 2026
Related Posts
3 min

New Fluent Bit Flaws Expose Cloud to RCE and Stealthy Infrastructure Intrusions

Cybersecurity researchers have discovered five vulnerabilities in Fluent Bit, an open-source and lightweight telemetry agent, that could be chained to compromise and take over cloud infrastructures. The security defects "allow attackers to bypass authentication, perform path traversal, achieve remote code execution, cause denial-of-service conditions, and manipulate tags," Oligo Security said in
info@thehackernews.com (The Hacker News)
November 24, 2025
Read More
5 min

Passwd: A walkthrough of the Google Workspace Password Manager

Passwd is designed specifically for organizations operating within Google Workspace. Rather than competing as a general consumer password manager, its purpose is narrow, and business-focused: secure credential storage, controlled sharing, and seamless Workspace integration. The platform emphasizes practicality over feature overload, aiming to provide a reliable system for teams that already rely
info@thehackernews.com (The Hacker News)
December 23, 2025
Read More
3 min

27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials

Cybersecurity researchers have disclosed details of what has been described as a "sustained and targeted" spear-phishing campaign that has published over two dozen packages to the npm registry to facilitate credential theft. The activity, which involved uploading 27 npm packages from six different npm aliases, has primarily targeted sales and commercial personnel at critical
info@thehackernews.com (The Hacker News)
December 29, 2025
Read More