Malicious Bitcoin npm packages spread NodeCordRAT malware before takedown

Researchers at Zscaler ThreatLabz have found three malicious Bitcoin npm packages that are meant to implant malware named NodeCordRAT. Reports say that they all got more than 3,400 downloads before they were taken down from the npm registry.

The packages, which include bitcoin-main-lib, bitcoin-lib-js, and bip40, had amassed 2,300, 193, and 970 downloads. By copying names and details from real Bitcoin components, the attacker made these lookalike modules appear harmless at a glance.

“The bitcoin-main-lib and bitcoin-lib-js packages execute a postinstall.cjs script during installation, which installs bip40, the package that contains the malicious payload,” Zscaler ThreatLabz researchers Satyam Singh and Lakhan Parashar said. “This final payload, named NodeCordRAT by ThreatLabz, is a remote access trojan (RAT) with>NodeCordRAT is equipped to steal Google Chrome credentials

Zscaler ThreatLabz analysts identified the trio in Nov while scanning the npm registry for suspicious packages and strange download patterns. NodeCordRAT represents a new malware family that leverages Discord servers for command-and-control (C2) communication.

NodeCordRAT was built to steal Google Chrome login information, API codes kept in.env files, and MetaMask wallet data like private keys and seed phrases. The person who posted all three malicious packages used the email address supertalented730@gmail.com.

The attack chain begins when developers unknowingly install bitcoin-main-lib or bitcoin-lib-js from npm. Then it identifies the path of the bip40 package and starts it in detached mode using PM2.

The attack flow. Source: Zscaler ThreatLabz

The malware generates a unique identifier for compromised machines using the format platform-uuid, such as win32-c5a3f1b4. It achieves this by extracting system UUIDs through commands like wmic csproduct get UUID on Windows or reading /etc/machine-id on Linux systems.

Malicious node packages that caused crypto thefts

Trust Wallet said that the theft of almost $8.5 million was connected to an attack on the npm ecosystem supply chain by “Sha1-Hulud NPM.” More than 2,500 wallets were affected.

Hackers used a hacked npm as NodeCordRAT-style trojans and supply chain malware. It was incorporated into client-side code that stole money from customers when they accessed their wallets.

Other 2025 examples that fall into two buckets that resemble the NodeCordRAT style threat include the Force Bridge exploit, which occurred between May and June 2025. Attackers stole either the software or the private keys that validator nodes used to authorize cross-chain withdrawals. This turned nodes into malicious actors that could approve fraudulent transactions.

This breach resulted in an estimated $3.6 million in stolen assets, including ETH, USDC, USDT, and other tokens. It also forced the bridge to stop operations and conduct audits.

In September, the Shibarium Bridge exploit unfolded, and attackers were able to take control of most of the validator power for a short time. As revealed by Cryptopolitan, this let them serve as bad validator nodes, sign off on illegal withdrawals, and take around $2.8 million in SHIB, ETH, and BONE tokens.