2026-01-09 03:22:07

A recent expose revealed a very dangerous incident—someone uploaded three malicious packages on npm impersonating Bitcoin libraries (bitcoin-main-lib, bitcoin-lib-js, bip40). Before being taken down, these packages had been downloaded over 3,400 times. The numbers may seem small, but the consequences are frightening.

The NodeCordRAT Trojan embedded in these packages is essentially a "thief" of digital assets, mainly doing these malicious acts: directly stealing login credentials from Chrome browsers, various API tokens, and most dangerously, extracting private keys and seed phrases from MetaMask wallets. Once infected developers run these packages, their entire wallet is effectively left open to hackers.

This incident serves as a reminder that the security of the npm package supply chain must not be taken lightly. Developers should be extra cautious when pulling dependencies—it's best to verify the source and reviews of unfamiliar or unusually updated packages. Additionally, for high-risk credential tools like MetaMask and Chrome, regularly checking permission settings and cautiously installing plugins are the safest practices.

BTC0,04%

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.

11 Likes

Reward
11
5
Repost
Share

Comment

0/400

NFTFreezer

· 01-09 03:50

Damn it, it's another npm mess, unavoidable and unpredictable. Over 3400 downloads, just thinking about it gives me chills... I need to check the packages I installed immediately. Damn, even MetaMask's private keys can be stolen? That’s really ruthless. npm really needs to tighten its review process; now anyone can publish packages. Next time, I must check the package's submission history and download count. I can't just install random stuff. This supply chain attack is truly top-notch; developers need to be more cautious.

View OriginalReply0

FortuneTeller42

· 01-09 03:49

Oh my, over 3400 times? How much money must be at stake for such reckless behavior... --- Is npm's defense line also this fragile now? No wonder I have to review everything myself now. --- Another case of impersonating well-known libraries. Fine, from now on, I’ll check the checksum for all. --- I just want to know how the 3400 downloads are doing now. Has anyone been hacked? --- MetaMask private key directly stolen... This is even worse than social engineering. The guys who got caught probably want to cry in the bathroom. --- Why does it always take an incident to remind us about security? I really can't hold it anymore. --- This is why I never trust unfamiliar packages. Checking the ratings and update times is enough. --- A hardcore reminder, but honestly, most people still install recklessly. What's the use of knowing? --- Why are there so many "fake" nodes in the Node.js ecosystem? Maintainers must be so exhausted.

View OriginalReply0

BlockchainTherapist

· 01-09 03:34

3400 downloads may not be much, but it's really terrifying. How many people's wallets would just explode... --- You really need to be cautious with npm. Who knows which package is a honeypot? --- I'm genuinely worried about MetaMask private key theft, and regular audits are necessary. --- Supply chain security in Web3 has never been truly solved. Picking a package feels like opening a blind box. --- Why is it always like this? Developers are too careless. --- The name bitcoin-main-lib is too sneaky. You really need to check the source carefully. --- Credential theft on Chrome is bad enough, but MetaMask is the real life-threatening issue.

View OriginalReply0

NeonCollector

· 01-09 03:32

3,400 downloads? Really? How many people have fallen for this... Is npm's security this lax now?

View OriginalReply0

TokenRationEater

· 01-09 03:30

3400 downloads may not seem like much, but if just one gets compromised, it's all over. --- The npm ecosystem is getting more and more murky; these days, anyone dares to upload any package. --- I just want to know what these people are thinking—do they really believe they can hide everything? --- MetaMask private keys can be stolen, which is even worse than directly robbing money. --- It's another supply chain issue; developers need to be more cautious. --- 3400 developers with gambler's mentality—daring to use unfamiliar packages. --- This kind of attack is truly hard to prevent; you can only be extremely careful. --- I've been saying that npm's review mechanism is virtually useless, and sure enough, something happened. --- Exposing private keys is equivalent to social death; this issue calls for deep reflection. --- It feels like Web3 security is always firefighting; there's simply no real solution.

View OriginalReply0