Security researchers have uncovered a new malware campaign targeting developers through the npm ecosystem. The threat involves a previously undocumented remote access trojan called NodeCordRAT, hidden inside Bitcoin-themed packages. These packages appeared legitimate and useful, making them easy for developers to trust. In reality, they were designed to silently infect systems after installation.
The discovery came during routine monitoring of open-source repositories for suspicious behavior. Analysts identified three malicious packages named bitcoin-main-lib, bitcoin-lib-js, and bip40. These packages were uploaded by an account using the name wenmoonx. All three were publicly available before being removed.
What made the campaign effective was how closely the package names resembled real cryptocurrency libraries. Developers searching for Bitcoin utilities could easily mistake them for safe dependencies. While active, the packages recorded thousands of downloads. This significantly increased the potential impact across developer environments.
The malware delivered through these packages was named NodeCordRAT based on how it operates. It is written in Node.js and uses Discord as its command-and-control channel. After installation, the malware connects to an attacker-controlled Discord server. This allows remote instructions to be sent without raising immediate suspicion.
Once active, NodeCordRAT gives attackers deep access to infected systems. It can execute system commands, gather system information, and transfer files. Researchers observed that it fingerprints the host machine to uniquely identify each victim. This level of access effectively turns the device into a remotely controlled system.
A major concern is the malware’s ability to steal sensitive data. NodeCordRAT is programmed to collect browser credentials, API tokens, and stored authentication data. It also targets cryptocurrency wallet information, including seed phrases. Victims risk losing both personal data and digital assets.
The infection process is carefully staged to avoid detection. Two of the packages automatically run scripts during installation. These scripts then install the third package, which contains the actual malware payload. This multi-step approach helps hide the malicious activity from quick reviews.
After the findings were reported, the malicious packages were removed from the npm registry. However, systems that installed them while they were live may still be compromised. Security experts advise removing the packages, rotating credentials, and reviewing systems for unusual activity. The incident highlights the growing risk of supply-chain attacks in open-source software.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
