Security researchers at Zscaler have unearthed a sophisticated campaign exploiting prevalent cryptocurrency themes. Three deleterious libraries were discovered within the official npm repository, serving as conduits for a previously undocumented Remote Access Trojan (RAT) designated as NodeCordRAT. These packages, masquerading as legitimate components affiliated with Bitcoin projects, were uploaded by an actor using the pseudonym “wenmoonx” and have since been purged from the platform.
The malicious entities—titled bitcoin-main-lib, bitcoin-lib-js, and bip40—employed a deceptive installation sequence. The former two contained a postinstall.cjs script that executed automatically upon deployment, subsequently fetching and installing bip40, which harbored the core malicious payload. With a cumulative download count approaching 3,500, the campaign indicates a significant offensive targeting developers and users within the crypto-asset ecosystem.
NodeCordRAT facilitates a covert connection by utilizing Discord as its primary command-and-control (C2) infrastructure. Upon successful infiltration, the malware exfiltrates granular system telemetry and generates a unique hardware identifier across diverse operating systems, including Windows, Linux, and macOS. It then establishes an encrypted link to a predefined Discord server to await instructions.
The functional repertoire of NodeCordRAT permits adversaries to execute arbitrary commands, capture and transmit desktop screenshots, and upload sensitive files directly to a Discord channel. By leveraging the Discord API and embedded authentication tokens, the attackers can orchestrate compromised systems with remarkable ease.
Of particular interest to the operators are Google Chrome credentials, API tokens, and the seed phrases of cryptocurrency wallets such as MetaMask. The architecture and nomenclature of these packages were meticulously designed to mimic authentic libraries from the bitcoinjs project—such as bitcoinjs-lib, bip32, and bip38—thereby increasing the likelihood that developers would perceive them as trustworthy utilities.
Experts emphasize that this campaign underscores an escalating trend of weaponizing public repositories for malware distribution, particularly within the lucrative cryptocurrency sector. Such incursions are becoming increasingly refined, blending seamlessly with legitimate software solutions and co-opting popular communication platforms to facilitate data exfiltration and systemic control.