MAL-2026-6549: Malicious code in discord-token-generator (PyPI)
The discord-token-generator package on PyPI versions 1.0.0 through 1.0.3 contains malicious code that executes a hidden Windows binary upon import. This binary, obfuscated and launched without a visible console, acts as an infostealer named "NBSteal" targeting credentials and data from browsers, Telegram, Discord, Roblox, and other platforms. The package impersonates Discord to lure users into installing it. This behavior confirms the package's malicious intent and risk to users who install it.
AI Analysis
Technical Summary
The discord-token-generator PyPI package versions 1.0.0 to 1.0.3 include code that, when imported, concatenates and base64-decodes multiple obfuscated string chunks, then XOR-deobfuscates the result to produce a Windows executable. This executable is saved to the temporary directory and launched silently with no console window. The embedded executable is an infostealer named "NBSteal" that exfiltrates data from browsers, Telegram, Discord, Roblox, and other gaming platforms, as well as credentials. The package metadata falsely claims to be an official Discord development tool, using brand impersonation as a social engineering tactic. The multi-layer obfuscation and covert execution confirm the package is malicious.
Potential Impact
Any system that imports the affected versions of the discord-token-generator package will execute a hidden Windows binary that steals sensitive information, including credentials and data from multiple applications and platforms. This compromises user privacy and security, potentially leading to credential theft and unauthorized data exfiltration.
Mitigation Recommendations
Avoid installing or importing the discord-token-generator package versions 1.0.0 through 1.0.3. Since this is a malicious package rather than a vulnerability in legitimate software, remediation involves removing any installations of these versions and using trusted, verified packages. No official patch or fix exists because the package itself is malicious. Users should rely on verified sources and avoid packages impersonating legitimate brands.
MAL-2026-6549: Malicious code in discord-token-generator (PyPI)
Description
The discord-token-generator package on PyPI versions 1.0.0 through 1.0.3 contains malicious code that executes a hidden Windows binary upon import. This binary, obfuscated and launched without a visible console, acts as an infostealer named "NBSteal" targeting credentials and data from browsers, Telegram, Discord, Roblox, and other platforms. The package impersonates Discord to lure users into installing it. This behavior confirms the package's malicious intent and risk to users who install it.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The discord-token-generator PyPI package versions 1.0.0 to 1.0.3 include code that, when imported, concatenates and base64-decodes multiple obfuscated string chunks, then XOR-deobfuscates the result to produce a Windows executable. This executable is saved to the temporary directory and launched silently with no console window. The embedded executable is an infostealer named "NBSteal" that exfiltrates data from browsers, Telegram, Discord, Roblox, and other gaming platforms, as well as credentials. The package metadata falsely claims to be an official Discord development tool, using brand impersonation as a social engineering tactic. The multi-layer obfuscation and covert execution confirm the package is malicious.
Potential Impact
Any system that imports the affected versions of the discord-token-generator package will execute a hidden Windows binary that steals sensitive information, including credentials and data from multiple applications and platforms. This compromises user privacy and security, potentially leading to credential theft and unauthorized data exfiltration.
Mitigation Recommendations
Avoid installing or importing the discord-token-generator package versions 1.0.0 through 1.0.3. Since this is a malicious package rather than a vulnerability in legitimate software, remediation involves removing any installations of these versions and using trusted, verified packages. No official patch or fix exists because the package itself is malicious. Users should rely on verified sources and avoid packages impersonating legitimate brands.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6549
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["PyPI"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a42ed6927e9c7971993827c
Added to database: 06/29/2026, 22:10:49 UTC
Last enriched: 06/29/2026, 22:35:04 UTC
Last updated: 06/30/2026, 02:51:11 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.