Ethical Hacking News
Recently, cybersecurity researchers discovered three malicious npm packages that were designed to deliver a previously undocumented malware known as NodeCordRAT. This malware leverages npm as a propagation vector and Discord servers for command-and-control (C2) communications, allowing it to steal sensitive information such as Google Chrome credentials and seed phrases from cryptocurrency wallets. Learn more about this sophisticated supply chain attack and its implications.
Malicious actors exploited open-source software repositories to spread NodeCordRAT malware. The malware leverages npm as a propagation vector and Discord servers for command-and-control communications. The threat actor used supply chain attacks, naming packages after real repositories in the bitcoinjs project. The malware can steal sensitive information such as Google Chrome credentials and API tokens. The attack highlights the importance of proper vetting and testing of software packages before release.
Malicious actors have been exploiting the openness of popular open-source software repositories to deliver a previously undocumented malware known as NodeCordRAT. The discovery was made by cybersecurity researchers at Zscaler ThreatLabz, who uncovered three malicious npm packages that were designed to spread this malware.
The names of the affected packages are bitcoin-main-lib, bitcoin-lib-js, and bip40, all of which were uploaded by a user named "wenmoonx". According to the researchers, these packages execute a postinstall.cjs script during installation, which in turn installs the malicious payload. The final payload is a remote access trojan (RAT) with data-stealing capabilities.
The NodeCordRAT malware leverages npm as a propagation vector and Discord servers for command-and-control (C2) communications. This means that once an unsuspecting user downloads one of these packages, their system is compromised and can be remotely controlled by the attacker. The malware is capable of stealing sensitive information such as Google Chrome credentials, API tokens, and seed phrases from cryptocurrency wallets like MetaMask.
The threat actor behind the campaign has been observed to have named the packages after real repositories found within the legitimate bitcoinjs project, including bitcoinjs-lib, bip32, bip38, and bip38. This tactic is known as " Supply Chain Attacks" which are designed to inject malware into popular software packages.
Another interesting aspect of this attack is that both "bitcoin-main-lib" and "bitcoin-lib-js" include a "package.json" file that features "postinstall.cjs" as a postinstall script, leading to the execution of "bip40" that contains the NodeCordRAT payload. This suggests that the attackers have a deep understanding of how npm packages are structured and can be used to their advantage.
The malware itself is equipped with various capabilities such as fingerprinting the infected host to generate a unique identifier across Windows, Linux, and macOS systems. It also leverages a hard-coded Discord server to open a covert communication channel to receive instructions and execute them using Node.js' exec function.
In addition to this, the malware can take a full desktop screenshot and exfiltrate the PNG file to the Discord channel, or upload a specified file to the Discord channel via Discord's REST endpoint /channels/{id}/messages. The stolen files are uploaded as message attachments in the private channel. This highlights the malicious use of legitimate APIs by threat actors.
This discovery serves as a reminder that even the most popular and well-maintained open-source software can be exploited by malicious actors for nefarious purposes. It also underscores the importance of proper vetting and testing of software packages before they are released to the public.
The affected npm packages were taken down as of November 2025, indicating that the attack has been mitigated to some extent. However, it is essential to remain vigilant and continue monitoring open-source software repositories for potential security threats.
In conclusion, the NodeCordRAT malware represents a significant threat to users of open-source software, particularly those using npm packages. Its use of legitimate APIs and command-and-control channels makes it a sophisticated example of supply chain attacks. As such, this incident highlights the need for improved vetting and testing of software packages before they are released to the public.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Dark-Side-of-Open-Source-NodeCordRAT-Malware-Exposed-through-npm-Packages-ehn.shtml
Published: Thu Jan 8 05:47:04 2026 by llama3.2 3B Q4_K_M
