Security researchers at Zscaler ThreatLabz have uncovered three malicious npm packages designed to install a sophisticated remote access trojan (RAT) targeting JavaScript developers.
The packages, named bitcoin-main-lib, bitcoin-lib-js, and bip40, collectively registered over 3,400 downloads before being removed from the npm registry in November 2025.
The attack exploits developer trust in the legitimate BitcoinJS project by using typosquatted package names that closely resemble authentic Bitcoin development libraries.
bip40When developers install bitcoin-main-lib or bitcoin-lib-js, a postinstall script automatically attempts to download bip40 as a dependency, which contains the malicious payload researchers have dubbed NodeCordRAT.
NodeCordRAT Steals Sensitive Developer Data
NodeCordRAT represents a new malware family that leverages Discord servers for command-and-control (C2) communication.
The trojan targets explicitly high-value developer assets, including Chrome browser credentials, API tokens stored in .env files, and MetaMask cryptocurrency wallet data such as private keys and seed phrases.
All three malicious packages were uploaded by a single threat actor using the email address [email protected]. The table below shows the distribution impact:
Package NameVersion(s)Downloads
| Package Name | Version(s) | Downloads |
|---|---|---|
| bitcoin-lib-js | 7.2.1 | 183 |
| bitcoin-main-lib | 7.0.0, 7.2.0 | 2,286 |
| bip40 | 1.0.0, 1.0.6 | 958 |
The attack chain begins when developers unknowingly install bitcoin-main-lib or bitcoin-lib-js from npm. During installation, the post-install.cjs script executes automatically, resolving the bip40 package path and launching it under Process Manager 2 (PM2) in detached mode.
This provides runtime persistence, meaning bip40 continues running after the installer exits and automatically restarts if it crashes during the current session.
To appear legitimate, the attackers modified each package’s package.json file to include links to the authentic bitcoinjs GitHub repository.
This social engineering tactic helps the malicious packages evade initial scrutiny from developers conducting basic due diligence.
Discord-Based Command and Control
Once active, NodeCordRAT connects to a hardcoded Discord server and establishes a private channel for each infected system.
The malware generates a unique identifier for compromised machines using the format platform-uuid, such as win32-c5a3f1b4, by extracting system UUIDs through commands like wmic csproduct get UUID on Windows or reading /etc/machine-id on Linux systems.
Attackers control infected systems through three command prefixes sent via Discord: !run executes arbitrary shell commands, !screenshot captures full-desktop images and uploads them as PNG files, and !sendfile exfiltrates specified files from the victim’s machine.
All stolen data transmits through Discord’s REST API using hardcoded authentication tokens, with files attached directly to private channel messages.
While npm has removed these malicious packages, the incident underscores persistent vulnerabilities in software supply chain security.
Developers should implement strict package verification practices, including checking package author reputation, examining download statistics, and reviewing package dependencies before installation.
Organizations should also deploy automated scanning tools that detect suspicious postinstall scripts and unusual network behavior in development environments.
Indicators Of Compromise (IOCs)
| Package name | MD5 hash |
|---|---|
| bitcoin-lib-js | 7a05570cda961f876e63be88eb7e12b8 |
| bitcoin-main-lib | c1c6f4ec5688a557fd7cc5cd1b613649 |
| bip40 | 9a7564542b0c53cb0333c68baf97449c |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.