NodeCordRAT Malware Delivered via Bitcoin-Themed npm Packages
Summary
Hide ▲
Show ▼
Researchers discovered three malicious npm packages—bitcoin-main-lib, bitcoin-lib-js, and bip40—that delivered a previously undocumented remote access trojan (RAT) named NodeCordRAT. The packages, uploaded by a user named "wenmoonx," were designed to steal Google Chrome credentials, API tokens, and cryptocurrency wallet seed phrases. NodeCordRAT uses Discord servers for command-and-control (C2) communications and was capable of executing arbitrary shell commands, taking screenshots, and exfiltrating files. The packages were taken down in November 2025.
Timeline
-
08.01.2026 12:31 1 articles · 23h ago
NodeCordRAT Malware Discovered in Bitcoin-Themed npm Packages
Researchers uncovered three malicious npm packages—bitcoin-main-lib, bitcoin-lib-js, and bip40—that delivered a previously undocumented remote access trojan (RAT) named NodeCordRAT. The packages were taken down in November 2025. NodeCordRAT uses Discord for command-and-control (C2) communications and is capable of stealing sensitive data from infected systems.
Show sources
- Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages — thehackernews.com — 08.01.2026 12:31
Information Snippets
-
The malicious npm packages—bitcoin-main-lib (2,300 downloads), bitcoin-lib-js (193 downloads), and bip40 (970 downloads)—were uploaded by a user named "wenmoonx."
First reported: 08.01.2026 12:311 source, 1 articleShow sources
- Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages — thehackernews.com — 08.01.2026 12:31
-
The packages executed a postinstall.cjs script during installation, which installed bip40 containing the NodeCordRAT payload.
First reported: 08.01.2026 12:311 source, 1 articleShow sources
- Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages — thehackernews.com — 08.01.2026 12:31
-
NodeCordRAT is a remote access trojan (RAT) with data-stealing capabilities, targeting Google Chrome credentials, API tokens, and cryptocurrency wallet seed phrases.
First reported: 08.01.2026 12:311 source, 1 articleShow sources
- Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages — thehackernews.com — 08.01.2026 12:31
-
The malware uses Discord servers for command-and-control (C2) communications and can execute arbitrary shell commands, take screenshots, and exfiltrate files.
First reported: 08.01.2026 12:311 source, 1 articleShow sources
- Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages — thehackernews.com — 08.01.2026 12:31
-
The threat actor named the packages after real repositories within the legitimate bitcoinjs project.
First reported: 08.01.2026 12:311 source, 1 articleShow sources
- Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages — thehackernews.com — 08.01.2026 12:31