NodeCordRAT Malware

Cybersecurity analysts have uncovered three malicious npm packages engineered to distribute a previously undocumented remote access trojan (RAT) now tracked as NodeCordRAT. These packages were removed from the npm registry in November 2025 and were all published by an account operating under the name 'wenmoonx.'

Identified malicious packages:

• bitcoin-main-lib (≈2,300 downloads)
• bitcoin-lib-js (≈193 downloads)
• bip40 (≈970 downloads)

The attackers deliberately selected names that closely resemble legitimate repositories from the well-known bitcoinjs ecosystem, an apparent attempt to mislead developers and increase the likelihood of accidental installation.

Infection Chain and Payload Delivery

The compromise begins when either bitcoin-main-lib or bitcoin-lib-js is installed. Both packages contain a crafted package.json file that defines a postinstall.cjs script. This script silently pulls in bip40, which hosts the actual malicious code.

Once executed, bip40 deploys the final payload: NodeCordRAT, a fully featured remote access trojan with built-in data-harvesting functions.

What Is NodeCordRAT?

NodeCordRAT derives its name from its two core design choices: npm as its propagation mechanism and Discord as its Command-and-Control (C2) platform. After installation, the malware fingerprints the compromised system to generate a unique identifier across Windows, Linux, and macOS hosts.

The trojan is capable of harvesting sensitive information, including:

• Google Chrome credentials
• API tokens
• Cryptocurrency wallet secrets, such as MetaMask data and seed phrases

All collected data is funneled back to the attacker through Discord's infrastructure.

Discord-Based Command and Control

Instead of relying on traditional C2 servers, NodeCordRAT uses a hard-coded Discord server and token to establish a covert communications channel. Through this channel, operators can issue commands and receive stolen data.

Supported attacker commands include:

• !run – Execute arbitrary shell commands via Node.js' exec function
• !screenshot – Capture a full desktop screenshot and exfiltrate it as a PNG file
• !sendfile – Upload a specified local file to the Discord channel

Data Exfiltration via Discord’s API

Exfiltration is handled entirely through Discord's REST API. Using the embedded token, the malware posts stolen content directly to a private channel, attaching files through the endpoint:

/channels/{id}/messages

This approach allows threat actors to blend malicious traffic with legitimate Discord activity, making detection more challenging in environments where Discord is permitted.

Security Implications

This campaign highlights the continued abuse of open-source ecosystems and trusted collaboration platforms. By masquerading as familiar Bitcoin-related libraries and weaponizing post-install scripts, the attackers created a low-friction infection path capable of delivering a cross-platform RAT focused on credential theft and remote control.

For development teams and security professionals, the incident reinforces the importance of strict dependency vetting, monitoring of install-time scripts, and anomaly detection for outbound traffic to consumer platforms such as Discord.