Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Cross-ecosystem malicious packages using Discord webhooks for C2

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

Malicious packages across npm, PyPI, and RubyGems.org are using Discord webhooks as a C2 channel to steal developer and host data, putting developer machines and CI runners at risk. The abuse lets the packages blend exfiltration into ordinary network traffic while hiding the destination behind write-only webhook URLs. Specific packages include mysql-dumpdiscord, malinssx, malicus, maliinn, and sqlcommenter_rails. The behavior can leak config files, credentials, and host details before runtime defenses detect anything.

Related Happenings

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers

Malware Activity
First: 18.05.2026 11:57 Last: 18.05.2026 11:57 Sources 1

About this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...

Open Happening

Gremlin stealer modular toolkit evolution

Malware Activity
First: 15.05.2026 17:19 Last: 15.05.2026 17:19 Sources 1

About this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

Quasar Linux (QLNX) Linux RAT targeting developer credentials

Malware Activity
First: 06.05.2026 12:48 Last: 06.05.2026 12:48 Sources 1

About this happening: The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...

Open Happening

Timeline

  1. 14.10.2025 10:09 2 articles · 7mo ago

    Researchers identify Discord-webhook malware packages across npm, PyPI, and RubyGems.org

    Initial Disclosure

    Security researchers identified malicious packages in npm, PyPI, and RubyGems.org that use Discord webhooks as a command-and-control channel to exfiltrate developer configuration files and host details to actor-controlled channels. The packages include mysql-dumpdiscord, malinssx, malicus, maliinn, and sqlcommenter_rails, and the broader abuse can leak .env files, API keys, browser credentials, keystrokes, screenshots, /etc/passwd, and /etc/resolv.conf from developer machines and CI runners. The same disclosure also described a separate North Korean Contagious Interview wave that used 338 malicious npm packages, fake personas, and C2 endpoints to deliver BeaverTail and InvisibleFerret to Web3, cryptocurrency, blockchain developers, and job seekers approached on LinkedIn.

    Show sources
    Open in new tab