Malicious NPM Packages Deliver NodeCordRAT

    Wednesday, January 14, 2026 In: Threat Research Print

    Date: 01/14/2026

    Severity: High

    Summary

    In November 2025, three malicious npm packages—bitcoin-main-lib, bitcoin-lib-js, and bip40—were identified. These packages were engineered to deploy a previously unknown remote access trojan (RAT) malware family. The malware, dubbed NodeCordRAT, propagates through npm and leverages Discord servers for command-and-control (C2) communications. NodeCordRAT is designed to harvest Chrome credentials, sensitive secrets such as API tokens, and MetaMask data, including private keys and seed phrases. Collectively, these malicious packages were downloaded several thousand times.

    Indicators of Compromise (IOC) List

    Hash : 

    7a05570cda961f876e63be88eb7e12b8

    c1c6f4ec5688a557fd7cc5cd1b613649

    9a7564542b0c53cb0333c68baf97449c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    md5hash IN ("7a05570cda961f876e63be88eb7e12b8","c1c6f4ec5688a557fd7cc5cd1b613649","9a7564542b0c53cb0333c68baf97449c")

    Reference:     

    https://www.zscaler.com/blogs/security-research/malicious-npm-packages-deliver-nodecordrat


    Tags

    MalwareRATNode Package Manager (NPM)

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.