Cross-ecosystem malicious packages using Discord webhooks for C2
Malware Activity
Summary
Hide ▲
Show ▼
Malicious packages across npm, PyPI, and RubyGems.org are using Discord webhooks as a C2 channel to steal developer and host data, putting developer machines and CI runners at risk. The abuse lets the packages blend exfiltration into ordinary network traffic while hiding the destination behind write-only webhook URLs. Specific packages include mysql-dumpdiscord, malinssx, malicus, maliinn, and sqlcommenter_rails. The behavior can leak config files, credentials, and host details before runtime defenses detect anything.
Related Happenings
Shai-Hulud worm clone activity on NPM
Malware Activity
H score69
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
H score22
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Gremlin stealer modular toolkit evolution
Malware Activity
H score21
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Gremlin stealer modular toolkit evolution
Malware ActivityAbout this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score68
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware Activity
H score28
First: 06.05.2026 12:48
Last: 06.05.2026 12:48
Sources 1
About this happening:
The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware ActivityAbout this happening: The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
Timeline
-
14.10.2025 10:09 2 articles · 8mo ago
Researchers identify Discord-webhook malware packages across npm, PyPI, and RubyGems.org
Initial DisclosureSecurity researchers identified malicious packages in npm, PyPI, and RubyGems.org that use Discord webhooks as a command-and-control channel to exfiltrate developer configuration files and host details to actor-controlled channels. The packages include mysql-dumpdiscord, malinssx, malicus, maliinn, and sqlcommenter_rails, and the broader abuse can leak .env files, API keys, browser credentials, keystrokes, screenshots, /etc/passwd, and /etc/resolv.conf from developer machines and CI runners. The same disclosure also described a separate North Korean Contagious Interview wave that used 338 malicious npm packages, fake personas, and C2 endpoints to deliver BeaverTail and InvisibleFerret to Web3, cryptocurrency, blockchain developers, and job seekers approached on LinkedIn.
Show sources
- npm, PyPI, and RubyGems Packages Found Sending Developer Data to Discord Channels — thehackernews.com — 14.10.2025 10:09
- npm, PyPI, and RubyGems Packages Found Sending Developer Data to Discord Channels — thehackernews.com — 14.10.2025 10:09