NodeCordRAT Delivered via Malicious npm Packages

NodeCordRAT Delivered via Malicious npm Packages

Security researchers identified three npm packages – bitcoin-main-lib, bitcoin-lib-js, and bip40 – distributing NodeCordRAT, a previously unknown Remote Access Trojan (RAT). These packages, uploaded by the user “wenmoonx”, collectively amassed over 3,290 downloads before being taken down in November 2025.

Why This Matters

The open-source ecosystem relies on trust, but supply chain attacks like this demonstrate the vulnerability of package managers to malicious actors. Ideal models assume package integrity, but reality shows attackers can exploit naming conventions and post-install scripts to deliver malware, potentially impacting thousands of developers and end-users; a single successful breach can result in significant data theft and financial loss.

Key Insights

• npm Supply Chain Attack, 2026: NodeCordRAT highlights the risk of malicious packages in npm.
• Discord C2: The RAT uses Discord servers for command-and-control, leveraging readily available infrastructure.
• Post-Install Scripts: Attackers exploited npm’s postinstall scripts to execute malicious code.

Practical Applications

• Use Case: A cryptocurrency trader unknowingly installs a compromised package, leading to theft of their MetaMask seed phrase.
• Pitfall: Relying on package names alone without verifying author reputation or package integrity.

References:

• https://thehackernews.com/2026/01/researchers-uncover-nodecordrat-hidden.html