By /

NodeCordRAT Malware Found Hidden in Malicious npm Bitcoin Packages

Cybersecurity researchers have uncovered a stealthy new malware strain dubbed NodeCordRAT, which was hidden within seemingly benign npm packages related to Bitcoin. This JavaScript-based remote access trojan (RAT) is targeting developers and crypto enthusiasts by embedding itself in widely used Node.js packages. The malware campaign has once again highlighted the importance of supply chain security in the open-source ecosystem.

What is NodeCordRAT?

NodeCordRAT is a sophisticated remote access trojan written in JavaScript. It uses real-time messaging platforms like Discord to exfiltrate data and communicate with its command-and-control (C2) server. This innovative approach lets the malware operate with a low detection profile, as Discord is a trusted platform frequently used in development and gaming communities.

NodeCordRAT is largely aimed at compromising developers’ systems and harvesting sensitive data, including:

  • Access tokens and session cookies
  • Stored passwords and browser data
  • Discord authentication tokens
  • System environment details for reconnaissance

The malware operates by disguising itself as part of legitimate open-source packages uploaded to the npm registry, leveraging the trust developers place in libraries shared within the Node.js community.

🧠 Do you want a structured way to evaluate Bitcoin news with clarity and confidence—so you’re not reacting emotionally but responding strategically? This free, no-fluff guide gives you a 5-minute system to cut the noise and think clearly. It’s lean, actionable, and built to help you identify what matters—so you can stop second-guessing the headlines and start making smarter moves. 👉 Get the guide

How the NodeCordRAT Campaign Works

1. Malicious npm Packages

The attack begins with the upload of Bitcoin-themed npm packages that include misleading descriptions and keywords to make them appear authentic. The packages claimed to offer features like crypto trading utilities or simplified APIs for Bitcoin transactions.

Some of the discovered packages include:

  • node-binance-trade
  • binancetrade-api
  • btc-trading-library

Once installed, these packages execute scripts post-installation, triggering the NodeCordRAT downloader. The malware uses obfuscated JavaScript code to evade security tools and run unnoticed.

2. Discord as a Communication Channel

NodeCordRAT innovatively uses Discord Webhooks to receive commands and exfiltrate data. By leveraging Discord as a C2 server, the malware avoids traditional IP-based detection methods. This allows NodeCordRAT to relay victim system information and receive commands via regular chat channels disguised as normal traffic.

3. Information Harvesting

After the RAT is fully deployed, it begins harvesting a range of data, including:

  • Browser data — Autofill details, stored credentials, cookies
  • System metadata — Operating system, installed apps, running processes
  • Crypto wallet info, if found in browser session storage
  • Discord login tokens and session identifiers

This data is sent directly to the attacker-controlled Discord channel in real time, making remediation more difficult.

Analysis of Infection Vectors

The malicious packages were not uploaded with any verified owner identity, which is a red flag often ignored by users installing packages at speed. Cybersecurity experts emphasize the increasing use of open-source repositories like npm as vectors for malware distribution due to:

  • Minimal security oversight on publish requests
  • High trust from developers in common libraries
  • Easy upload process for new or forked projects

Threat actors are exploiting this trust by publishing packages that have credible-sounding names and convincing documentation. Once installed, these packages act almost identical to legitimate modules, except for the stealthy malware payload embedded within them.

Current Impact and Threat Scope

While it’s still unclear how many systems have been compromised, telemetry suggests that the packages existed for several weeks before removal, allowing a potentially significant number of installations. The Node.js ecosystem, due to its extensive use in backend development and API services, presents an attractive target for attackers hoping to gain access to cloud environments and developer credentials.

Recommendations for Developers

To protect your environment and systems from similar malicious campaigns, developers and teams should adopt the following practices:

1. Perform Package Due Diligence

  • Check maintainers and organization reputation before installing
  • Audit new packages before implementing them in production
  • Use package lock files to prevent unauthorized updates

2. Use Source Code Scanning Tools

  • Employ scanners like Snyk, Sonatype, or npm audit to detect malicious code
  • Integrate CI/CD pipeline guards that automatically flag suspicious packages

3. Isolation and Monitoring

  • Install packages within signed Docker environments to limit exposure
  • Monitor for unusual outbound traffic to services like Discord or Telegram

4. Protect Credentials and Secrets

  • Never store sensitive secrets in plain-text configurations
  • Use environment variables and secret managers like HashiCorp Vault

Industry Response

The Node.js Foundation and npm have been quick to react, removing the identified packages from the registry. A statement from GitHub (owner of npm) indicated ongoing efforts to improve the vetting process for newly published modules. Meanwhile, security researchers urge developers to report suspicious packages and to promote proper security awareness in open-source communities.

This incident follows a string of similar breaches, including the discovery of LunaGrabber and TurkoRat in open-source ecosystems last year. It demonstrates that attackers will continue to prey on the blind spots in developer workflows unless significant security reforms are enacted.

Conclusion

The emergence of NodeCordRAT highlights the growing threat of supply chain malware targeting the software development community. As attackers evolve their techniques and seek high-value targets like crypto users and developers, the responsibility to secure the open-source ecosystem becomes a shared goal. Vigilant package management, routine auditing, and proactive threat detection must become standard practices for any team working with open-source technologies.

Ultimately, while open-source adoption continues to grow, so does the importance of ensuring it remains secure—without sacrificing speed, innovation, or collaboration.

Scroll to Top