BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

NodeCordRAT in Malicious npm pkgs Steals Wallets via Discord

Malicious npm packages delivered NodeCordRAT, a Discord‑controlled RAT that steals browser credentials, API tokens and crypto wallet seed phrases

  • Researchers discovered three malicious npm packages that delivered a new remote access trojan called NodeCordRAT.
  • The packages — uploaded by user wenmoonx and removed by November 2025 — used post-install scripts to run a payload contained in bip40.
  • NodeCordRAT steals browser credentials, API tokens, and crypto wallet seed phrases and uses a hard-coded Discord server for command-and-control.

On Jan. 8, 2026, researchers reported that three malicious packages on npm delivered a previously undocumented Malware called NodeCordRAT. The packages were uploaded by a user named wenmoonx and had been taken down as of November 2025, according to the report linked by researchers discovered.

- Advertisement -

The campaign included packages named to resemble real libraries. The actor copied names from the legitimate bitcoinjs project repositories, researchers noted and linked to the original bitcoinjs repos. Two packages, Bitcoin-main-lib and bitcoin-lib-js, used a postinstall script to execute a secondary package.

“The bitcoin-main-lib and bitcoin-lib-js packages execute a postinstall.cjs script during installation, which installs bip40, the package that contains the malicious payload,” the report said. The installed package, bip40, contained the final payload identified as NodeCordRAT.

NodeCordRAT fingerprints infected hosts across Windows, Linux, and macOS to create unique identifiers. It opens a covert channel to a hard-coded Discord server to receive commands, including the ability to run shell commands, capture screenshots, and upload files. The observed commands included !run, !screenshot, and !sendfile.

“This data is exfiltrated using Discord’s API with a hardcoded token and sent to a private channel,” the researchers said, noting that stolen files are uploaded via Discord’s REST endpoint /channels/{id}/messages. The malware can harvest Google Chrome credentials, API tokens, and seed phrases from wallets such as MetaMask.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Crypto’s $2T Crash Awaits BlackRock Shock & FOMO

Bitcoin has stabilized near $60,000 after a downturn erased $2 trillion from the crypto...

Cambridge: Ethereum Energy Intensity Low, Overall Use High

Ethereum consumes roughly 7.87 GWh annually, the second-lowest energy intensity per market value among...

Saylor and Back oppose BIP-110 fork over Bitcoin security fears

Michael Saylor and Adam Back have publicly opposed BIP-110, a temporary Bitcoin fork proposal...

China, India groups target Pakistani police in cyber espionage

Suspected China- and India-aligned threat actors targeted Pakistani law enforcement in a sustained cyber...

AMD Stock Dips 10% Amid AI Volatility Ahead of Q3 Earnings

AMD stock fell nearly 10% from $580 on June 30 to roughly $516 by...

Must Read

What Are Sniper Bots Used in Defi Trading?

You've heard about DeFi, but what about sniper bots? These high-speed trading tools are shaking up the crypto scene.But don't fret, you're not...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading