Malicious npm Packages Are Hunting Developer Credentials

1. Malicious Bitcoin-Themed npm Packages Delivering NodeCordRAT

Security researchers uncovered three npm packages — bitcoin-main-lib, bitcoin-lib-js, and bip40 — that were deliberately crafted to infect developers’ machines after installation. According to researchers at Zscaler, these packages secretly installed a remote-access trojan designed to steal sensitive information.

What actually happened

Once a developer installed one of these packages, a hidden postinstall.cjs script ran automatically. That script downloaded additional files and deployed the malware in the background, without any visible warning.

After installation, the malware was capable of:

Stealing saved Chrome browser credentials
Extracting API tokens and developer secrets
Harvesting cryptocurrency wallet data, including MetaMask seed phrases

To avoid detection, the attackers used Discord servers as their command-and-control channel, blending malicious traffic with normal user activity.

The package names were intentionally chosen to look like legitimate Bitcoin libraries, making them easy to confuse with real projects.

2. Typosquatted and Impersonated npm Packages Stealing Credentials

In a separate campaign, researchers from Lumifi Cybersecurity discovered a wave of fake npm packages impersonating popular developer libraries.

These packages relied heavily on typosquatting — small spelling changes that are easy to miss during installation.

Common tricks used

Fake prompts, such as CAPTCHA-style dialogs, to make the malware appear legitimate
Large secondary payloads downloaded after install
Cross-platform credential theft affecting Windows, macOS, and Linux

Once active, these packages targeted:

Developer login credentials
SSH keys
Environment variables and secret tokens

Examples of impersonated package names included typescriptjs, dizcordjs, and other near-lookalikes. The malware used multiple layers of obfuscation, which made static code analysis and automated scanners far less effective.

3. npm Info-Stealers Targeting macOS Cursor Users

In another campaign, focused on macOS developers using the Cursor AI code editor.

In this case, attackers published npm packages that appeared to be helpful developer utilities. In reality, they contained hidden scripts that opened backdoors on infected systems.

Why this matters

Although the initial reports focused on backdoor access, researchers warned that the same techniques are commonly used to:

Steal authentication tokens
Exfiltrate npm and GitHub credentials
Access cloud provider secrets once the system is compromised

How These Attacks Usually Work

Across all these campaigns, the techniques are strikingly similar:

Malicious scripts execute automatically during installation
Environment variables like NPM_TOKEN, GITHUB_TOKEN, and AWS_* are harvested
Backdoors or covert command-and-control channels are established
Typosquatting and social engineering are used to trick developers into installing the wrong package

How Developers Can Protect Themselves

Regularly audit dependencies using npm audit, SBOM tools, or security scanners
Be extra cautious with unfamiliar or slightly misspelled package names
Disable install scripts for untrusted packages (npm install --ignore-scripts)
Rotate credentials immediately if compromise is suspected
Use scoped, short-lived tokens instead of long-term secrets