Supply-chain threat intelligence

Incident detail

criticalpypi·credential theft·osv

Malicious code in discord-token-generator (PyPI)

discord-token-generator

Risk score

92

AI summary

Indexed incident for discord-token-generator (pypi).

Description

discord_token_generator/init.py imports tokens.py, which instantiates TokenManager() at module load. The constructor calls notin(), which concatenates eight large opaque string chunks (ytouhqifgm, nqbardpoze, wqopxtejdv, zywnltfdmd, ljqvzqnjsm, pkehqytikl, pkciygtgum, cmdelmtwgz), base64-decodes the result, XOR-deobfuscates it with key 66, writes the bytes to %TEMP%\tokens.tmp, and launches the file via subprocess.Popen with shell=True and creationflags=0x08000000 (CREATE_NO_WINDOW) so no console appears. Any machine that imports this package runs the decoded Windows binary covertly. The package metadata (name 'discord-token-generator', author 'DiscordDev', email 'dev@discord.com', description 'Generate valid Discord tokens for development and testing') impersonates Discord as a social-engineering lure to attract installers searching for Discord token tooling. The multi-chunk obfuscation, hidden execution flags, and Discord brand impersonation together confirm malicious intent.

During import, package executes the embedded executable. It is an infostealer named internally as "NBSteal", focused on exfiltrating data from browsers, Telegram, Discord, Roblox and other gaming platforms, and other credentials.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-discord-token-generator

Reasons (based on the campaign):

  • infostealer

  • files-exfiltration

  • obfuscation

  • exfiltration-browser-data

  • malware

  • target:telegram

  • exfiltration-credentials

Technical details

Affected versions

=1.0.0=1.0.1=1.0.2=1.0.3>=0

Indicators

  • affected version=1.0.075%
  • affected version=1.0.175%
  • affected version=1.0.275%
  • affected version=1.0.375%
  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents