Malicious NPM Packages Deliver NodeCordRAT

Description

Three malicious npm packages were discovered in November 2025, designed to deliver and install a new RAT malware family named NodeCordRAT. The packages, bitcoin-main-lib, bitcoin-lib-js, and bip40, mimicked legitimate Bitcoin-related libraries to deceive developers. NodeCordRAT uses Discord for command-and-control communication, targets Chrome credentials, sensitive secrets, and MetaMask data. It performs host fingerprinting, executes shell commands, captures screenshots, and exfiltrates data. The malware exploits software supply chain vulnerabilities, highlighting the importance of vigilance in package management. Although removed from npm, the incident serves as a reminder of ongoing threats in the software development ecosystem.