Supply-chain threat intelligence
Risk score
92
Indexed incident for fsociety-tools (pypi).
On import, fsociety_tools/init.py loads tokens.py, which at module load time instantiates TokenManager(). The constructor concatenates eight large string chunks, base64-decodes the result, XOR-decrypts the bytes with key 66, writes the decoded Windows executable to %TEMP%\fsociety.tmp, and launches it via subprocess.Popen with shell=True and creationflags=0x08000000 (CREATE_NO_WINDOW) so no console window appears. The surrounding TokenManager/validate_token/TokenAPI scaffolding and the package's self-description as 'Security and penetration testing utilities for ethical hackers' (with a Mr. Robot themed author identity) are cover for the dropper: the advertised CLI only prints fake Discord-shaped tokens, while the real effect of import fsociety_tools (or invoking the installed fsociety console script, which imports the package) is materialization and silent execution of an opaque embedded PE on Windows. Splitting the payload across multiple variables, base64+XOR encoding, hidden-window execution, and a decoy benign API together constitute an unambiguous import-time binary dropper.
During import, package executes the embedded executable. It is an infostealer named internally as "NBSteal", focused on exfiltrating data from browsers, Telegram, Discord, Roblox and other gaming platforms, and other credentials.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-discord-token-generator
Reasons (based on the campaign):
infostealer
files-exfiltration
obfuscation
exfiltration-browser-data
malware
target:telegram
exfiltration-credentials
Affected versions
Indicators
Timeline