Supply-chain threat intelligence

Incident detail

criticalpypi·credential theft·osv

Malicious code in fsociety-tools (PyPI)

fsociety-tools

Risk score

92

AI summary

Indexed incident for fsociety-tools (pypi).

Description

On import, fsociety_tools/init.py loads tokens.py, which at module load time instantiates TokenManager(). The constructor concatenates eight large string chunks, base64-decodes the result, XOR-decrypts the bytes with key 66, writes the decoded Windows executable to %TEMP%\fsociety.tmp, and launches it via subprocess.Popen with shell=True and creationflags=0x08000000 (CREATE_NO_WINDOW) so no console window appears. The surrounding TokenManager/validate_token/TokenAPI scaffolding and the package's self-description as 'Security and penetration testing utilities for ethical hackers' (with a Mr. Robot themed author identity) are cover for the dropper: the advertised CLI only prints fake Discord-shaped tokens, while the real effect of import fsociety_tools (or invoking the installed fsociety console script, which imports the package) is materialization and silent execution of an opaque embedded PE on Windows. Splitting the payload across multiple variables, base64+XOR encoding, hidden-window execution, and a decoy benign API together constitute an unambiguous import-time binary dropper.

During import, package executes the embedded executable. It is an infostealer named internally as "NBSteal", focused on exfiltrating data from browsers, Telegram, Discord, Roblox and other gaming platforms, and other credentials.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-discord-token-generator

Reasons (based on the campaign):

  • infostealer

  • files-exfiltration

  • obfuscation

  • exfiltration-browser-data

  • malware

  • target:telegram

  • exfiltration-credentials

Technical details

Affected versions

=1.0.0=1.0.1=1.0.2>=0

Indicators

  • affected version=1.0.075%
  • affected version=1.0.175%
  • affected version=1.0.275%
  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents