Supply-chain threat intelligence
Risk score
92
Indexed incident for discord-token-generator (pypi).
discord_token_generator/init.py imports tokens.py, which instantiates TokenManager() at module load. The constructor calls notin(), which concatenates eight large opaque string chunks (ytouhqifgm, nqbardpoze, wqopxtejdv, zywnltfdmd, ljqvzqnjsm, pkehqytikl, pkciygtgum, cmdelmtwgz), base64-decodes the result, XOR-deobfuscates it with key 66, writes the bytes to %TEMP%\tokens.tmp, and launches the file via subprocess.Popen with shell=True and creationflags=0x08000000 (CREATE_NO_WINDOW) so no console appears. Any machine that imports this package runs the decoded Windows binary covertly. The package metadata (name 'discord-token-generator', author 'DiscordDev', email 'dev@discord.com', description 'Generate valid Discord tokens for development and testing') impersonates Discord as a social-engineering lure to attract installers searching for Discord token tooling. The multi-chunk obfuscation, hidden execution flags, and Discord brand impersonation together confirm malicious intent.
During import, package executes the embedded executable. It is an infostealer named internally as "NBSteal", focused on exfiltrating data from browsers, Telegram, Discord, Roblox and other gaming platforms, and other credentials.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-discord-token-generator
Reasons (based on the campaign):
infostealer
files-exfiltration
obfuscation
exfiltration-browser-data
malware
target:telegram
exfiltration-credentials
Affected versions
Indicators
Timeline