NodeCordRAT in Malicious npm pkgs Steals Wallets via Discord

On Jan. 8, 2026, researchers reported that three malicious packages on npm delivered a previously undocumented Malware called NodeCordRAT. The packages were uploaded by a user named wenmoonx and had been taken down as of November 2025, according to the report linked by researchers discovered.

The campaign included packages named to resemble real libraries. The actor copied names from the legitimate bitcoinjs project repositories, researchers noted and linked to the original bitcoinjs repos. Two packages, Bitcoin-main-lib and bitcoin-lib-js, used a postinstall script to execute a secondary package.

“The bitcoin-main-lib and bitcoin-lib-js packages execute a postinstall.cjs script during installation, which installs bip40, the package that contains the malicious payload,” the report said. The installed package, bip40, contained the final payload identified as NodeCordRAT.

NodeCordRAT fingerprints infected hosts across Windows, Linux, and macOS to create unique identifiers. It opens a covert channel to a hard-coded Discord server to receive commands, including the ability to run shell commands, capture screenshots, and upload files. The observed commands included !run, !screenshot, and !sendfile.

“This data is exfiltrated using Discord’s API with a hardcoded token and sent to a private channel,” the researchers said, noting that stolen files are uploaded via Discord’s REST endpoint /channels/{id}/messages. The malware can harvest Google Chrome credentials, API tokens, and seed phrases from wallets such as MetaMask.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Nvidia demands full upfront payment for H200 chips in China.
• Half of Retail Traders See Crypto as Geopolitical Hedge Now!
• Bitcoin Falls Below $90K, Fills One CME Futures Gap to $88K.
• OpenAI launches ChatGPT Health with privacy safeguards in US
• Memecoin Surge and RWAs Drive New Crypto Investor Trends Now