Cybersecurity researchers identified three malicious npm packages—bitcoin-main-lib, bitcoin-lib-js, and bip40—uploaded by a user named "wenmoonx" that delivered a previously undocumented malware called NodeCordRAT. These packages masqueraded as legitimate Bitcoin-related libraries and collectively had several thousand downloads before being removed in November 2025. The attack chain begins with bitcoin-main-lib and bitcoin-lib-js executing a postinstall.cjs script during installation, which installs bip40 containing the NodeCordRAT payload. NodeCordRAT is a remote access trojan that targets Windows, Linux, and macOS environments. It fingerprints infected hosts to generate unique identifiers and establishes covert command-and-control (C2) communication channels via a hardcoded Discord server using Discord's API. The malware supports commands to execute arbitrary shell commands, capture full desktop screenshots, and upload specified files to the Discord channel, enabling extensive data theft and reconnaissance. Notably, NodeCordRAT steals Google Chrome credentials, API tokens, and seed phrases from cryptocurrency wallets such as MetaMask, posing significant risks to users involved in cryptocurrency transactions. The threat actor mimicked legitimate bitcoinjs repositories to evade detection and increase trust. The use of npm as a propagation vector and Discord for C2 communications exemplifies sophisticated abuse of trusted platforms to evade traditional security controls. Although no known exploits are currently active in the wild, the malware’s capabilities and stealthy communication channel present a serious supply chain risk. This incident underscores the vulnerability of open-source package ecosystems to malicious code injection and the need for enhanced supply chain security measures.

For European organizations, the NodeCordRAT malware poses significant risks primarily through the compromise of developer environments and cryptocurrency-related applications. Organizations relying on npm packages, especially those in fintech, cryptocurrency, and software development sectors, could have sensitive credentials and wallet seed phrases stolen, leading to financial losses and unauthorized access to critical systems. The malware’s ability to execute arbitrary commands and exfiltrate files via Discord channels could facilitate lateral movement, espionage, or data leakage. The multi-platform nature of the RAT increases the attack surface across Windows, Linux, and macOS systems commonly used in European enterprises. Given the stealthy use of legitimate platforms like npm and Discord, traditional perimeter defenses may fail to detect or block the threat, increasing the risk of prolonged undetected compromise. Additionally, the theft of API tokens could enable attackers to abuse cloud services or internal APIs, amplifying the potential damage. The reputational impact and regulatory consequences under GDPR for data breaches involving credential theft or unauthorized access could be severe. Overall, the threat could disrupt operations, cause financial damage, and erode trust in software supply chains.

European organizations should implement a multi-layered approach to mitigate the NodeCordRAT threat. First, enforce strict supply chain security by auditing and vetting all npm packages before use, preferably relying on well-known, verified sources and avoiding untrusted or obscure packages. Employ automated tools to scan for malicious post-install scripts and unusual behaviors during package installation. Implement runtime monitoring to detect suspicious processes invoking shell commands or unusual network connections, especially to Discord or other non-standard C2 channels. Network segmentation and egress filtering should block unauthorized Discord API traffic from endpoints and developer environments. Use endpoint detection and response (EDR) solutions capable of identifying RAT behaviors such as screenshot capture and file exfiltration. Educate developers and users about the risks of installing unverified packages and the importance of verifying package provenance. Regularly rotate and secure API tokens and credentials, and monitor for anomalous usage patterns. Employ multi-factor authentication and hardware security modules for cryptocurrency wallets to reduce the impact of stolen seed phrases. Finally, maintain an incident response plan tailored to supply chain attacks and RAT infections to enable rapid containment and remediation.