A recent investigation by the research firm Zscaler ThreatLabz has found a clever new trap targeting people in the cryptocurrency space. In November 2025, researchers found three malicious software packages hiding in NPM, a massive public library that developers use every day to build apps.
These files weren’t just glitches; they were designed to deliver a specific virus that researchers have named NodeCordRAT. This is basically a Remote Access Trojan (RAT), which gives a stranger a backdoor into your computer to watch what you do and steal your files.
The Chain of Deception
During the investigation, it was noted that, other than uploading malware, attackers also created a chain of files to avoid being caught. They used names that look almost exactly like real, trusted tools from the legitimate bitcoinjs project. According to researchers, the attacker (linked to the email [email protected]) uploaded three specific packages:
- bip40 (Downloaded about 958 times)
- bitcoin-lib-js (Downloaded about 183 times)
- bitcoin-main-lib (Downloaded about 2,286 times)
Upon probing further, researchers found that when a developer tried to install the first two packages, a hidden script would automatically pull in the third one, bip40, which carried the actual virus. This whole process happens automatically in the background, and the user never sees a ‘Yes/No’ pop-up or a warning.
“It is also possible to download bip40 as a standalone package, completely bypassing the other libraries. To deceive developers into downloading the fraudulent packages, the attacker used name variations of real repositories found within the legitimate bitcoinjs project,” Zscaler’s blog post reads.
Controlled via Discord
What makes this attack unique and troubling is how it talks back to the hackers. Discord, as we know it, is mainly used for gaming or chatting, but these hackers used it as a remote control by sending simple text commands to a private Discord channel. This way, the hackers could tell the infected computer exactly what to do.
Researchers further noted that the virus responds to specific shorthand commands. For example, the command !run allows for shell command execution, letting attackers run any code they want. Meanwhile, !screenshot snaps a picture of your desktop and !sendfile allows attackers to pick any file on your hard drive and upload it directly to their chat.
What They Are After
NodeCordRAT specifically hunts for Chrome data such as saved passwords and login info, crypto wallets (specifically MetaMask seed phrases and digital keys), and API secrets, including hidden files (like .env files) that businesses use to keep their websites running.
It is worth noting that while these packages have since been scrubbed from the NPM store, the damage may already be done for the thousands who downloaded them. If you work in crypto or development sectors, it is a good idea to check your recent downloads for these specific names.