Zscaler Discovers Malicious Bitcoin npm Packages with Over 3,400 Downloads
Written by Ohris M. Greyoon, Blockchain & Crypto Expert
Source: Coinmarketcap
Updated: Jan 08 2026- Malware Discovery: Zscaler ThreatLabz identified three malicious Bitcoin npm packages, namely bitcoin-main-lib, bitcoin-lib-js, and bip40, which collectively garnered over 3,400 downloads, highlighting the risk developers face when unknowingly installing such packages that could lead to data breaches and security vulnerabilities.
- Attack Chain Analysis: The packages execute a postinstall.cjs script during installation, which installs the malicious bip40, indicating that attackers successfully deceive users through disguise tactics, potentially resulting in sensitive information theft and undermining user trust in the npm ecosystem's security.
- Data Theft Capabilities: The NodeCordRAT malware is capable of stealing Google Chrome credentials, API codes, and MetaMask wallet data, posing a severe threat to user privacy that could lead to financial losses and identity theft for affected individuals.
- Supply Chain Attack Warning: This incident is linked to a previous npm ecosystem attack that resulted in nearly $8.5 million in stolen funds, emphasizing the need for developers to remain vigilant when utilizing third-party libraries to prevent similar supply chain attack occurrences in the future.
About the author
Ohris M. Greyoon
Ohris M. Greyoon holds a Master’s in Computer Science from MIT and has 10 years of experience in blockchain technology and cryptocurrency markets. A pioneer in decentralized finance (DeFi) analysis, he leads Intellectia’s Crypto News, offering cutting-edge insights into digital assets.
