Bitcoin, npm, and the Discord Connection: Inside the NodeCordRAT Supply Chain Attack

When you install a software package, you trust it’s what it claims to be. But what if the package is a Trojan horse, designed to silently hijack your data and send it straight to the dark corners of the web? In a recent chilling discovery, cybersecurity researchers at Zscaler ThreatLabz uncovered a trio of npm packages masquerading as Bitcoin development tools - each hiding a stealthy new malware they’ve dubbed NodeCordRAT.

The Anatomy of a Deception

The attack began with a user named “wenmoonx” uploading three npm packages: bitcoin-main-lib, bitcoin-lib-js, and bip40. Their names echoed reputable repositories from the bitcoinjs project, a classic case of “typosquatting” designed to fool even experienced developers. But the real sting was hidden deeper: upon installation, these packages silently executed a postinstall.cjs script, which in turn fetched and ran the actual malware payload from the bip40 package.

Dubbed NodeCordRAT by researchers, the malware is a remote access trojan (RAT) built to steal data and hand over control of infected machines. It fingerprints the victim’s system - Windows, macOS, or Linux - and establishes a covert channel with a hardcoded Discord server. Through this channel, the attacker can issue commands: run shell commands, take screenshots, or exfiltrate files, all using Discord’s own API as the transport.

Discord: The Unlikely Accomplice

NodeCordRAT’s use of Discord as a command center is both clever and alarming. By leveraging Discord’s REST API and a hardcoded authentication token, the malware sends stolen files as message attachments to a private channel, hiding in plain sight among legitimate traffic. This approach makes detection trickier for security teams, who may not expect such abuse of a popular chat platform.

Broader Implications

The NodeCordRAT campaign is a stark reminder: the software supply chain is only as strong as its weakest link. Developers and crypto users are juicy targets, and attackers are increasingly blending social engineering with technical subterfuge. As npm and other registries race to catch up, vigilance and skepticism have never been more essential.

Conclusion

The NodeCordRAT incident exposes a dangerous new vector for digital heists - one that exploits trust, technical know-how, and the very platforms that power open-source innovation. As the line blurs between legitimate tools and weaponized code, the burden falls on everyone in the ecosystem to double-check, verify, and, above all, never assume safety by default.

WIKICROOK

• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
• npm: npm is a central online library where developers share, update, and manage JavaScript code packages to build software efficiently and securely.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Typosquatting: Typosquatting is when attackers use lookalike names of trusted sites or software to trick users into visiting fake sites or downloading malware.
• Seed Phrase: A seed phrase is a set of words that acts as the master key to a crypto wallet. Anyone with it can access and control your funds.