NodeCordRAT delivered through malicious npm packages
Malware Activity
Summary
Hide ▲
Show ▼
Three malicious npm packages delivered NodeCordRAT, exposing Windows, Linux, and macOS systems to credential theft, seed-phrase theft, and file exfiltration. The malware used Discord as command-and-control and ran shell commands while stealing Google Chrome credentials and API tokens. The packages were removed by November 2025 after the delivery chain was uncovered.
Related Happenings
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Plain-crypto-js remote-access Trojan delivery
Malware Activity
First: 31.03.2026 23:55
Last: 31.03.2026 23:55
Sources 1
About this happening:
The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...
Plain-crypto-js remote-access Trojan delivery
Malware ActivityAbout this happening: The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...
Latest development: 04.04.2026 23:30
Google Threat Intelligence Group linked the Axios npm compromise to UNC1069, a financially motivated North Korea-nexus threat actor, based on the use of WAVESHAPER.V2 and overlaps with infrastructure artifacts used by UNC1069 in past activity. The Axios maintainers also wiped affected systems, reset all credentials, and are implementing changes to prevent similar incidents.
Axios JavaScript NPM package hit by network compromise
Incident
First: 31.03.2026 23:55
Last: 31.03.2026 23:55
Sources 1
About this happening:
**Axios** suffered a **supply-chain compromise** after malicious versions were published to **NPM**, creating a high-risk exposure for developers and downstream consumers. The mal...
Axios JavaScript NPM package hit by network compromise
IncidentAbout this happening: **Axios** suffered a **supply-chain compromise** after malicious versions were published to **NPM**, creating a high-risk exposure for developers and downstream consumers. The mal...
Latest development: 13.04.2026 20:39
OpenAI is revoking and rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed compromised Axios version 1.14.1 during the March 31, 2026 supply chain attack. The certificate was used to sign OpenAI macOS apps including ChatGPT Desktop, Codex, Codex CLI, and Atlas, and macOS users must update to versions signed with the new certificate before the old certificate is fully revoked on May 8, 2026.
Axios package cross-platform RAT delivery
Malware Activity
First: 31.03.2026 16:53
Last: 31.03.2026 16:53
Sources 1
About this happening:
A **malicious Axios package payload** now delivers a **remote access trojan** to **Windows, macOS, and Linux** hosts, creating cross-platform compromise risk. The infection begins...
Axios package cross-platform RAT delivery
Malware ActivityAbout this happening: A **malicious Axios package payload** now delivers a **remote access trojan** to **Windows, macOS, and Linux** hosts, creating cross-platform compromise risk. The infection begins...
Timeline
-
08.01.2026 12:31 2 articles · 4mo ago
NodeCordRAT delivered through malicious npm packages
Technical Analysis UpdateCybersecurity researchers uncovered three malicious npm packages, bitcoin-main-lib, bitcoin-lib-js, and bip40, that deliver the previously undocumented NodeCordRAT remote access trojan. The package chain uses postinstall.cjs during installation, then relies on Discord for command-and-control, file exfiltration, and instructions that can execute shell commands, take screenshots, and upload files. The malware is designed to steal Google Chrome credentials, API tokens, and seed phrases from cryptocurrency wallets like MetaMask, and the packages were taken down as of November 2025.
Show sources
- Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages — thehackernews.com — 08.01.2026 12:31
- Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages — thehackernews.com — 08.01.2026 12:31