Ddos 
Attack Flows | Image: Zscaler ThreatLabz
The open-source ecosystem has once again been weaponized, this time targeting developers working with cryptocurrency libraries. In a new report released this week, Zscaler ThreatLabz revealed the discovery of a sophisticated Remote Access Trojan (RAT) hiding within the npm registry, designed to loot browser credentials and crypto wallets while using Discord as a stealthy command-and-control center.
Dubbed NodeCordRAT, the malware was distributed through three malicious packages—bitcoin-main-lib, bitcoin-lib-js, and bip40—discovered in November 2025. These packages were cunningly named to mimic legitimate tools from the popular bitcoinjs project, tricking developers into downloading them.
What sets NodeCordRAT apart is its reliance on the popular chat platform Discord to manage infected machines. Rather than setting up a dedicated server, the attackers use Discord’s own infrastructure to send commands and receive stolen data.
“ThreatLabz named this new malware family NodeCordRAT since it is spread via npm and uses Discord servers for C2 communication,” the report states.
By leveraging Discord’s API, the malware can blend its malicious traffic with legitimate user activity, making it difficult for traditional security tools to detect.
Once installed, usually via a postinstall script in the fake libraries, NodeCordRAT goes on a digital looting spree. It targets a specific set of high-value data:
- Chrome Credentials: It “extracts and uploads Chrome profile Login Data SQLite databases and the Local State file”.
- Crypto Wallets: It specifically hunts for MetaMask data, locating files that “include the MetaMask extension ID (nkbihfbeogaeaoehlefnkodbefgpgknn)”.
- Sensitive Secrets: The malware recursively searches the user’s home directory for filenames containing .env, hoping to find API keys and environment variables.
The stolen data isn’t just uploaded to a server; it’s sent as a chat message. The report details how the malware uses a hardcoded bot token to upload files to a private Discord channel.
“The stolen files are uploaded as message attachments via Discord’s REST endpoint… Before uploading the stolen data, NodeCordRAT verifies that each file exists and is not empty”.
If a file transfer fails, the malware even sends a helpful error message back to the attackers, such as “Failed to send file…”.
“While these packages have been removed from npm, there will continue to be similar software supply chain threats in the future,” ThreatLabz researchers warned in their conclusion.
Developers are urged to rigorously verify the authenticity of the libraries they include in their projects, especially those dealing with sensitive financial operations like Bitcoin transactions.
Donate