Malicious NPM Packages Deliver NodeCordRAT

This report describes NodeCordRAT being distributed through malicious npm packages (for example, 'bip40') that serve as required dependencies for legitimate-seeming wrapper packages; the package's postinstall.cjs script resolves and launches the RAT under PM2 in detached mode to achieve runtime persistence and automatic execution without user interaction, with excerpts of package.json and postinstall.cjs included.