Full Report
Cybersecurity researchers have discovered three malicious npm packages that are designed to deliver a previously undocumented malware called NodeCordRAT. The names of the packages, all of which were taken down as of November 2025, are listed below. They were uploaded by a user named "wenmoonx." bitcoin-main-lib (2,300 Downloads) bitcoin-lib-js (193 Downloads) bip40 (970 Downloads) "The
Analysis Summary
# Tool/Technique: NodeCordRAT
## Overview
NodeCordRAT is a previously undocumented Remote Access Trojan (RAT) delivered via malicious npm packages posing as legitimate Bitcoin-related libraries. The malware is designed to steal sensitive user information, including browser credentials, API tokens, and cryptocurrency seed phrases, and exfiltrate them over Discord C2 communication channels.
## Technical Details
- Type: Malware family (Remote Access Trojan - RAT)
- Platform: Windows, Linux, and macOS systems (cross-platform due to Node.js execution)
- Capabilities: Data theft (credentials, tokens, seed phrases), remote command execution, screenshot capture, and file exfiltration, all controlled via Discord.
- First Seen: Discovered prior to November 2025.
## MITRE ATT&CK Mapping
Inferred mapping based on demonstrated functionality:
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Leveraging the npm ecosystem as an exploit vector)
- **TA0003 - Persistence/Defense Evasion**
- T1541 - Installation of the Payload (via npm postinstall scripts)
- **TA0009 - Collection**
- T1005 - Data from Local System (Stealing credentials, tokens, seed phrases)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (Utilizing Discord API/REST endpoints)
## Functionality
### Core Capabilities
- **Delivery Mechanism:** Used three malicious npm packages (`bitcoin-main-lib`, `bitcoin-lib-js`, `bip40`) uploaded by user "wenmoonx."
- **Infection Chain:** The packages `bitcoin-main-lib` and `bitcoin-lib-js` executed a `postinstall.cjs` script, which in turn installed `bip40`, containing the final NodeCordRAT payload.
- **Fingerprinting:** Generates a unique identifier for the infected host across Windows, Linux, and macOS.
- **C2 Communication:** Establishes a covert communication channel using a hard-coded Discord server/channel via Discord's API.
### Advanced Features
- **Data Exfiltration:** Specifically targets and steals Google Chrome credentials, API tokens, and seed phrases from cryptocurrency wallets (e.g., MetaMask).
- **Remote Shell Execution:** Accepts the `!run` command to execute arbitrary shell commands using Node.js's `exec` function.
- **Screenshot Capture:** Accepts the `!screenshot` command to capture a desktop screenshot and sends the resulting PNG file via Discord attachment.
- **File Upload:** Accepts the `!sendfile` command to exfiltrate specified files to the Discord channel as message attachments over the Discord REST endpoint.
## Indicators of Compromise
- File Hashes: *(Not provided in the article)*
- File Names: `bitcoin-main-lib` (npm package), `bitcoin-lib-js` (npm package), `bip40` (npm package containing payload), `postinstall.cjs` (script trigger).
- Registry Keys: *(Not provided in the article)*
- Network Indicators: Hard-coded Discord server/channel used for C2 communication (Discord API endpoints).
- Behavioral Indicators: Execution of a `postinstall` script within an npm package installation, system process invoking Node.js's `exec` function post-infection, network traffic communicating with Discord REST endpoints containing base64 encoded data or attachments.
## Associated Threat Actors
- **wenmoonx** (The user responsible for uploading the malicious packages).
- Undocumented group/actor that developed NodeCordRAT.
## Detection Methods
- Signature-based detection: Detection capabilities for the three specific package names (`bitcoin-main-lib`, `bitcoin-lib-js`, `bip40`) on package registries.
- Behavioral detection: Monitoring for Node.js processes executing arbitrary shell commands or performing unusual API calls (especially REST/HTTP POSTs to Discord known C2 infrastructure).
- YARA rules: *(Not provided in the article)* - YARA rules could potentially target unique strings or structures within the NodeCordRAT payload binaries/scripts.
## Mitigation Strategies
- **Prevention measures:** Restricting the installation of packages from untrusted or unknown sources.
- **Supply Chain Security:** Auditing `package.json` files for suspicious post-install scripts (e.g., `postinstall.cjs`).
- **Dependency Scanning:** Utilizing Software Composition Analysis (SCA) tools that check dependencies against known malicious package lists or patterns (like checking for suspicious execution hooks).
- **Network Monitoring:** Monitoring outbound traffic for unauthorized connections to known C2 platforms, specifically Discord API endpoints being used for data exfiltration.
## Related Tools/Techniques
- **Typosquatting/Dependency Confusion:** The naming convention mimics legitimate repositories from the `bitcoinjs` project, indicating a reliance on visual similarity for user deception.
- **Discord C2:** Use of Discord as a C2 channel is common among various threat actors for covert command and control.