""The bitcoin-main-lib and bitcoin-lib-js packages execute a postinstall.cjs script during installation, which installs bip40, the package that contains the malicious payload," Zscaler ThreatLabz researchers Satyam Singh and Lakhan Parashar said. "This final payload, named NodeCordRAT by ThreatLabz, is a remote access trojan (RAT) with data-stealing capabilities." NodeCordRAT gets its name from the use of npm as a propagation vector and Discord servers for command-and-control (C2) communications. The malware is equipped to steal Google Chrome credentials, API tokens, and seed phrases from cryptocurrency wallets like MetaMask."
"According to the cybersecurity company, the threat actor behind the campaign is assessed to have named the packages after real repositories found within the legitimate bitcoinjs project, such as bitcoinjs-lib, bip32, bip38, and bip38. Both "bitcoin-main-lib" and "bitcoin-lib-js" include a "package.json" file that features "postinstall.cjs" as a postinstall script, leading to the execution of "bip40" that contains the NodeCordRAT payload."
Three malicious npm packages — bitcoin-main-lib, bitcoin-lib-js, and bip40 — were uploaded by user "wenmoonx" and were taken down in November 2025. bitcoin-main-lib and bitcoin-lib-js execute a postinstall.cjs script during installation that installs bip40, which contains the NodeCordRAT payload. NodeCordRAT is a remote access trojan that steals Google Chrome credentials, API tokens, and seed phrases from wallets such as MetaMask. The malware fingerprints infected hosts across Windows, Linux, and macOS to generate unique identifiers, and it connects to a hard-coded Discord server for command-and-control. Supported commands include !run, !screenshot, and !sendfile, with data exfiltration via Discord API.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]