Cybersecurity researchers recently identified three malicious npm packages uploaded by a user named wenmoonx that were designed to distribute a new remote access trojan dubbed NodeCordRAT. These packages, which mimicked legitimate cryptocurrency libraries to trick developers, utilize Discord servers for command-and-control operations and can steal sensitive data including crypto wallet seed phrases and browser credentials.

Security analysts at Zscaler ThreatLabz uncovered a campaign involving the npm packages bitcoin-main-lib, bitcoin-lib-js, and bip40, which collectively garnered over three thousand downloads before being removed in late 2025. The attack chain begins when a user installs the first two libraries, triggering a post-installation script that automatically pulls in the third package containing the primary malicious payload. By naming these files similarly to popular repositories like bitcoinjs-lib, the threat actor successfully employed a typosquatting-style tactic to deceive developers looking for standard cryptocurrency tools.

The final stage of the infection delivers NodeCordRAT, a cross-platform malware capable of targeting Windows, Linux, and macOS systems. Once a host is infected, the malware fingerprints the machine to create a unique identifier and establishes a covert communication channel through a hard-coded Discord server. This specialized trojan is particularly dangerous because it focuses on high-value targets, specifically aiming to exfiltrate API tokens, Google Chrome credentials, and recovery seed phrases from popular cryptocurrency wallets like MetaMask.

NodeCordRAT leverages the Discord API to turn private chat channels into command-and-control hubs where the attacker can issue specific instructions to the infected machine. The malware supports several built-in commands, such as !run for executing arbitrary shell commands, !screenshot for capturing the user's desktop, and !sendfile for transmitting specific documents. These functions allow the attacker to maintain full control over the compromised system while remaining relatively hidden within encrypted Discord traffic.

Data exfiltration is handled through Discord’s REST endpoints, where stolen files and screenshots are uploaded as message attachments to a private channel controlled by the hacker. This method of using legitimate cloud services for malicious communication makes detection more difficult for standard network security tools. By combining npm as a distribution vector with Discord as a management platform, the wenmoonx campaign represents a sophisticated approach to targeting the developer and cryptocurrency communities.

Source: Researchers Find NodeCordRAT Hidden in Bitcoin Themed npm Packages