top of page
Search

NodeCordRAT: The Malicious NPM Packages Stealing Crypto via Discord

  • Jan 9
  • 3 min read

Key Findings


  • Researchers from Zscaler ThreatLabz discovered three malicious npm packages that deliver a new Remote Access Trojan (RAT) called NodeCordRAT.

  • The packages - bitcoin-main-lib, bitcoin-lib-js, and bip40 - were designed to mimic legitimate tools from the bitcoinjs project, tricking developers into installing them.

  • NodeCordRAT uses Discord as a command-and-control (C2) channel, blending its malicious traffic with legitimate user activity to evade detection.

  • The malware targets sensitive data, including Chrome credentials, crypto wallet details (like MetaMask seed phrases), and environment variables containing API secrets.

  • Stolen data is uploaded to a private Discord channel controlled by the attackers, who can then issue further commands to the infected machines.


Background


In November 2025, Zscaler ThreatLabz researchers uncovered a supply chain attack targeting developers in the cryptocurrency space. The attack centered around three malicious npm packages that were designed to deliver a previously undocumented malware called NodeCordRAT.


The packages, uploaded by a user named "wenmoonx," were named to closely resemble legitimate tools from the popular bitcoinjs project, likely to trick developers into installing them:


  • bitcoin-main-lib (2,286 downloads)

  • bitcoin-lib-js (183 downloads)

  • bip40 (958 downloads)


Package Data Summary


Upon further investigation, the researchers found that the first two packages (bitcoin-main-lib and bitcoin-lib-js) contained a postinstall script that would automatically pull in the third package, bip40, which carried the actual malware payload.


This multi-stage approach was likely used to bypass security measures and make the attack chain more difficult to detect.


Malware Analysis


The malware, dubbed NodeCordRAT, is a sophisticated Remote Access Trojan (RAT) that uses Discord as its command-and-control (C2) channel. By leveraging Discord's infrastructure, the malware can blend its malicious traffic with legitimate user activity, making it harder for traditional security tools to detect.


Once installed, NodeCordRAT goes on a data-stealing spree, targeting:


  • Chrome credentials (login data, autofill information)

  • Cryptocurrency wallet details, particularly MetaMask seed phrases and private keys

  • Sensitive environment variables and API secrets stored in .env files


The stolen data is then uploaded as file attachments to a private Discord channel controlled by the attackers. The malware even sends error messages back to the channel if a file transfer fails, providing the operators with useful feedback.


Attacker Techniques


What makes this attack unique is the use of Discord as a C2 channel. Rather than setting up a dedicated server, the attackers leverage Discord's own platform and APIs to send commands and receive stolen data.


The malware responds to various shorthand commands, such as:


  • `!run`: Allows for remote shell command execution

  • `!screenshot`: Captures a screenshot of the infected machine's desktop

  • `!sendfile`: Uploads any file from the user's system to the Discord channel


This gives the attackers a high degree of control over the infected machines, allowing them to further expand the scope of the attack.


Conclusion


While the malicious npm packages have been removed from the registry, the damage may already be done for the thousands of developers who downloaded them. If you work in the cryptocurrency or software development sectors, it's crucial to review your recent downloads and check for any signs of compromise.


Developers are urged to rigorously verify the authenticity of all libraries and dependencies included in their projects, especially those dealing with sensitive financial operations. Supply chain attacks like this one are becoming increasingly common, and vigilance is essential to protect against such threats.


Sources


  • https://hackread.com/discord-nodecordrat-steal-chrome-data-npm-packages/

  • https://securityonline.info/nodecordrat-the-trojan-hiding-in-npm-to-steal-crypto-via-discord/

  • https://thehackernews.com/2026/01/researchers-uncover-nodecordrat-hidden.html

  • https://x.com/HackRead/status/2009302079659974928

  • https://www.zscaler.com/blogs/security-research/malicious-npm-packages-deliver-nodecordrat

  • https://www.reddit.com/r/pwnhub/comments/1q7it2w/nodecordrat_malware_discovered_in_npm_bitcoin/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page