Crypto Developers Ambushed: Discord-Driven RAT Hijacks Chrome Data via NPM Trap
Subtitle: A new breed of malware disguised as trusted code libraries has targeted cryptocurrency developers, stealing passwords and wallet keys through a Discord-controlled backdoor.
It started with what looked like a simple coding shortcut. But for thousands of developers working on cryptocurrency projects, a routine download from the popular NPM repository opened the door to a sophisticated cyberattack-one that quietly siphoned off sensitive data and handed hackers the keys to the digital kingdom, all orchestrated from a private Discord chat room.
The Anatomy of a Modern Supply Chain Attack
In November 2025, researchers at Zscaler ThreatLabz uncovered a new supply chain attack targeting the crypto world’s most vital resource: its developers. The attackers uploaded three malicious packages-bip40, bitcoin-lib-js, and bitcoin-main-lib-to the public NPM registry, each named to closely resemble legitimate bitcoinjs project tools. This clever naming was no accident; it was a deliberate effort to trick developers into trusting and installing the tainted code.
Once a developer installed either bitcoin-lib-js or bitcoin-main-lib, a hidden script would automatically fetch bip40, the real payload. No warnings, no user prompts-just an invisible infection that installed NodeCordRAT, a Remote Access Trojan built on Node.js. Even more insidious, bip40 could be downloaded directly, bypassing the decoys altogether.
Discord: From Gamer Hangout to Hacker Command Center
What set this attack apart wasn’t just the technical sleight of hand, but the hackers’ choice of control channel. Instead of a bespoke server or obscure protocol, NodeCordRAT phoned home to a private Discord channel. There, attackers issued simple commands like !run to execute arbitrary code, !screenshot to spy on victims’ desktops, and !sendfile to steal files-all in real time, with the infected computers acting as silent accomplices.
Their loot? Chrome-stored passwords, cryptocurrency wallet secrets, and confidential business configuration files-everything needed to drain funds or compromise operations. The attack’s precision, targeting developers who often hold the digital keys to entire projects, made it especially devastating.
Aftermath: Damage Assessment and Lessons Learned
Though NPM has since purged the rogue packages, the incident underscores the risks lurking in the software supply chain. Developers who installed any of the named packages should immediately audit their systems for compromise, change passwords, and rotate crypto wallet keys. For the broader tech community, it’s a stark reminder: even the most trusted repositories can become attack vectors in the hands of patient, creative adversaries.
The NodeCordRAT campaign is a chilling demonstration that in today’s hyperconnected world, a single careless download can bridge the gap between a secure project and catastrophic data theft. For developers and organizations alike, vigilance and supply chain hygiene are more crucial than ever.
WIKICROOK
- NPM: npm is a central online library where developers share, update, and manage JavaScript code packages to build software efficiently and securely.
- Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
- Supply Chain Attack: A supply chain attack is a cyberattack that compromises trusted software or hardware providers, spreading malware or vulnerabilities to many organizations at once.
- MetaMask: MetaMask is a digital wallet used to store, send, and receive cryptocurrencies, and interact with decentralized apps on Ethereum and compatible blockchains.
- .env File: .env files securely store environment variables, such as API keys and credentials, keeping sensitive configuration data separate from application code.




