NodeCordRAT Malware Masqueraded as Bitcoin npm Packages—Here’s What You Missed
Another day, another crypto-themed cyberattack—this time targeting developers through npm. Malicious packages posing as Bitcoin tools spread NodeCordRAT malware before being pulled from the registry. The incident highlights the persistent security gaps in open-source ecosystems, especially those orbiting digital assets.
How the Attack Unfolded
The packages—cleverly named to mimic legitimate Bitcoin utilities—were uploaded to npm, the default package manager for Node.js. Once installed, they deployed NodeCordRAT, a remote access trojan capable of stealing sensitive data, logging keystrokes, and hijacking system resources. The malware operated quietly until researchers spotted anomalous behavior and reported it.
Why npm? Because Developers Trust It
Attackers bank on the trust inherent in open-source repositories. Developers routinely pull packages without thorough vetting—especially when they’re in a hurry to integrate crypto functionalities. The Bitcoin branding acted as perfect bait, drawing in builders eager to tap into the digital gold rush.
The Takedown: Fast, But Not Fast Enough
Once identified, the packages were removed from npm. But in the world of cyber threats, takedowns are often a game of whack-a-mole. By the time the malware was flagged, it had already infiltrated an unknown number of systems. No exact figures were disclosed—just the usual “we’re investigating” line from maintainers.
Security in Crypto Remains a Contradiction
We’re building decentralized, trustless systems, yet we keep relying on centralized, trust-dependent pipelines like npm. It’s the kind of irony that would be hilarious if it weren’t so costly. And while the crypto space obsesses over ATHs and tokenomics, basic hygiene—like verifying dependencies—still takes a back seat. Maybe next bull run, we’ll finally fund that security audit.
Stay sharp. Verify your dependencies. And remember: in crypto, if something looks like free alpha, it’s probably just malware in a Bitcoin wrapper.
NodeCordRAT is equipped to steal Google Chrome credentials
Zscaler ThreatLabz analysts identified the trio in Nov while scanning the npm registry for suspicious packages and strange download patterns. NodeCordRAT represents a new malware family that leverages Discord servers for command-and-control (C2) communication.
NodeCordRAT was built to steal Google Chrome login information, API codes kept in.env files, and MetaMask wallet data like private keys and seed phrases. The person who posted all three malicious packages used the email address [email protected].
The attack chain begins when developers unknowingly install bitcoin-main-lib or bitcoin-lib-js from npm. Then it identifies the path of the bip40 package and starts it in detached mode using PM2.
The malware generates a unique identifier for compromised machines using the format platform-uuid, such as win32-c5a3f1b4. It achieves this by extracting system UUIDs through commands like wmic csproduct get UUID on Windows or reading /etc/machine-id on Linux systems.
Malicious node packages that caused crypto thefts
Trust Wallet said that the theft of almost $8.5 million was connected to an attack on the npm ecosystem supply chain by “Sha1-Hulud NPM.” More than 2,500 wallets were affected.
Hackers used a hacked npm as NodeCordRAT-style trojans and supply chain malware. It was incorporated into client-side code that stole money from customers when they accessed their wallets.
Other 2025 examples that fall into two buckets that resemble the NodeCordRAT style threat include the Force Bridge exploit, which occurred between May and June 2025. Attackers stole either the software or the private keys that validator nodes used to authorize cross-chain withdrawals. This turned nodes into malicious actors that could approve fraudulent transactions.
This breach resulted in an estimated $3.6 million in stolen assets, including ETH, USDC, USDT, and other tokens. It also forced the bridge to stop operations and conduct audits.
In September, the Shibarium Bridge exploit unfolded, and attackers were able to take control of most of the validator power for a short time. As revealed by Cryptopolitan, this let them serve as bad validator nodes, sign off on illegal withdrawals, and take around $2.8 million in SHIB, ETH, and BONE tokens.
Join a premium crypto trading community free for 30 days - normally $100/mo.
