Zscaler finds fake Bitcoin npm modules with NodeCordRAT; 3,400+ installs by Nov 2025

Zscaler ThreatLabz reported three malicious Bitcoin-themed npm packages that installed a remote access trojan dubbed NodeCordRAT. The packages bitcoin-main-lib, bitcoin-lib-js, and bip40 were removed from the npm registry in November 2025 after accumulating over 3,400 downloads, and the malware targets Chrome credentials, .env tokens, and MetaMask wallet secrets.