NodeCordRAT delivered through malicious npm packages
Malware Activity
Summary
Hide ▲
Show ▼
Three malicious npm packages delivered NodeCordRAT, exposing Windows, Linux, and macOS systems to credential theft, seed-phrase theft, and file exfiltration. The malware used Discord as command-and-control and ran shell commands while stealing Google Chrome credentials and API tokens. The packages were removed by November 2025 after the delivery chain was uncovered.
Related Happenings
Malicious npm packages delivering Windows RAT
Malware Activity
H score3
First: 23.06.2026 11:54
Last: 23.06.2026 11:54
Sources 1
About this happening:
A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Malicious npm packages delivering Windows RAT
Malware ActivityAbout this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Easy-day-js malware delivery through poisoned Mastra packages
Malware Activity
H score29
First: 22.06.2026 14:30
Last: 22.06.2026 14:30
Sources 1
About this happening:
A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...
Easy-day-js malware delivery through poisoned Mastra packages
Malware ActivityAbout this happening: A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...
IronWorm npm supply-chain infection and self-propagation
Malware Activity
H score15
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
IronWorm npm supply-chain infection and self-propagation
Malware ActivityAbout this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
Shai-Hulud worm clone activity on NPM
Malware Activity
H score69
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
H score22
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Timeline
-
08.01.2026 12:31 2 articles · 6mo ago
NodeCordRAT delivered through malicious npm packages
Technical Analysis UpdateCybersecurity researchers uncovered three malicious npm packages, bitcoin-main-lib, bitcoin-lib-js, and bip40, that deliver the previously undocumented NodeCordRAT remote access trojan. The package chain uses postinstall.cjs during installation, then relies on Discord for command-and-control, file exfiltration, and instructions that can execute shell commands, take screenshots, and upload files. The malware is designed to steal Google Chrome credentials, API tokens, and seed phrases from cryptocurrency wallets like MetaMask, and the packages were taken down as of November 2025.
Show sources
- Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages — thehackernews.com — 08.01.2026 12:31
- Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages — thehackernews.com — 08.01.2026 12:31