Find notable cyber news and cases, enriched with sources, timelines, and signals.

VVS Stealer infostealer steals Discord tokens and browser data

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 2 articles

Summary

Hide ▲

NodeCordRAT is a previously undocumented RAT delivered through malicious npm packages that impersonate bitcoinjs project repositories and abuse Discord for command-and-control and data theft. The campaign used `bitcoin-main-lib`, `bitcoin-lib-js`, and `bip40`, with `bitcoin-main-lib` and `bitcoin-lib-js` running `postinstall.cjs` to install `bip40` during package installation. The malware can steal Google Chrome credentials, API tokens, and MetaMask seed phrases, and it can execute commands, take screenshots, and upload files via Discord API endpoints. The packages were taken down by November 2025.

Related Happenings

Malicious npm packages delivering Windows RAT

Malware Activity
H score3 First: 23.06.2026 11:54 Last: 23.06.2026 11:54 Sources 1

About this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
H score22 First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...

Latest development: 29.05.2026 11:10

mouse5212-super-formatter leaked a hardcoded GitHub token, exposing the operator's credential and allowing about seven theft sessions to be observed in the attacker's GitHub repository; the malicious npm package recursively copied files from a victim machine, uploaded them through the GitHub Contents API, and was later removed from npm.

Discord defaults voice and video calls to end-to-end encryption

Security Tool/Service
H score58 First: 19.05.2026 23:37 Last: 19.05.2026 23:37 Sources 1

About this happening: **Discord** has made **end-to-end encryption (E2EE)** the default for **voice and video calls**, strengthening privacy across a widely used communications platform. The rollout wa...

Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers

Malware Activity
H score22 First: 18.05.2026 11:57 Last: 18.05.2026 11:57 Sources 1

About this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...

Secret Blizzard Kazuar modular P2P botnet

Malware Activity
H score28 First: 16.05.2026 17:15 Last: 16.05.2026 17:15 Sources 1

About this happening: **Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...

Timeline

  1. 05.01.2026 09:48 3 articles · 6mo ago

    VVS Stealer disclosed targeting Discord credentials

    Initial Disclosure

    Palo Alto Networks Unit 42 disclosed VVS Stealer (VVS $tealer), a Python-based information stealer that has been sold on Telegram since at least April 2025 and is used to harvest Discord credentials and tokens. The malware uses Pyarmor-obfuscated code, is distributed as a PyInstaller package, persists through the Windows Startup folder, steals Chromium and Firefox browser data and screenshots, and can hijack Discord sessions by terminating the app, downloading an obfuscated JavaScript payload, and monitoring traffic through the Chrome DevTools Protocol (CDP).

    Show sources