Find notable cyber news and cases, enriched with sources, timelines, and signals.

NodeCordRAT delivered through malicious npm packages

Malware Activity
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

Three malicious npm packages delivered NodeCordRAT, exposing Windows, Linux, and macOS systems to credential theft, seed-phrase theft, and file exfiltration. The malware used Discord as command-and-control and ran shell commands while stealing Google Chrome credentials and API tokens. The packages were removed by November 2025 after the delivery chain was uncovered.

Related Happenings

Malicious npm packages delivering Windows RAT

Malware Activity
H score3 First: 23.06.2026 11:54 Last: 23.06.2026 11:54 Sources 1

About this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...

Easy-day-js malware delivery through poisoned Mastra packages

Malware Activity
H score29 First: 22.06.2026 14:30 Last: 22.06.2026 14:30 Sources 1

About this happening: A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...

IronWorm npm supply-chain infection and self-propagation

Malware Activity
H score15 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers

Malware Activity
H score22 First: 18.05.2026 11:57 Last: 18.05.2026 11:57 Sources 1

About this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...

Timeline

  1. 08.01.2026 12:31 2 articles · 6mo ago

    NodeCordRAT delivered through malicious npm packages

    Technical Analysis Update

    Cybersecurity researchers uncovered three malicious npm packages, bitcoin-main-lib, bitcoin-lib-js, and bip40, that deliver the previously undocumented NodeCordRAT remote access trojan. The package chain uses postinstall.cjs during installation, then relies on Discord for command-and-control, file exfiltration, and instructions that can execute shell commands, take screenshots, and upload files. The malware is designed to steal Google Chrome credentials, API tokens, and seed phrases from cryptocurrency wallets like MetaMask, and the packages were taken down as of November 2025.

    Show sources