NodeCordRAT
NodeCordRAT is a previously undocumented Node.js-based remote access trojan (RAT) with data-stealing capabilities, discovered by Zscaler ThreatLabz and distributed through malicious npm packages. The campaign used three packages—bitcoin-main-lib, bitcoin-lib-js, and bip40—named to mimic legitimate bitcoinjs-related libraries and target developers, particularly those working with cryptocurrency tooling. The packages were discovered and removed in November 2025 after being downloaded several thousand times; reporting also attributes the uploads to the npm user "wenmoonx." The infection chain used postinstall scripts in bitcoin-main-lib and bitcoin-lib-js to install bip40, which contained the NodeCordRAT payload, and the installation occurred without user prompts or warnings. NodeCordRAT uses Discord servers and Discord's API for command-and-control, including exfiltration to a private Discord channel via a hardcoded bot token, helping its traffic blend with legitimate Discord activity. Reported capabilities include remote shell command execution, file upload/exfiltration, screenshot capture, host fingerprinting across Windows, Linux, and macOS, and theft of Google Chrome credentials, Chrome profile login data and Local State, API tokens/secrets, recursively discovered .env files, and cryptocurrency wallet seed phrases, including MetaMask data associated with extension ID nkbihfbeogaeaoehlefnkodbefgpgknn. The campaign is a software supply-chain attack through the npm ecosystem and is directly associated in the content with malicious packages bitcoin-main-lib, bitcoin-lib-js, and bip40.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
"Notepad++ Official Update Mechanism Hijacked to Deliver Malware..."; "eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware"; "Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems"; "Open VSX Supply Chain Attack..."; "Malicious Chrome Extensions..."
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
RAT delivered via malicious npm packages (bitcoin-themed) published by an actor; further capabilities not described in excerpt.
A remote access trojan delivered via malicious NPM packages (software supply-chain delivery vector).
Remote access trojan delivered via malicious packages in the NPM ecosystem (software supply chain).
NodeCordRAT is a Remote Access Trojan distributed via malicious npm packages, designed to steal browser credentials, crypto wallets (specifically MetaMask), and sensitive secrets from developers. It uses Discord as its command-and-control channel, sending stolen data as chat message attachments to a private Discord channel.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.