VVS Stealer infostealer steals Discord tokens and browser data
Malware Activity
Summary
Hide ▲
Show ▼
NodeCordRAT is a previously undocumented RAT delivered through malicious npm packages that impersonate bitcoinjs project repositories and abuse Discord for command-and-control and data theft. The campaign used `bitcoin-main-lib`, `bitcoin-lib-js`, and `bip40`, with `bitcoin-main-lib` and `bitcoin-lib-js` running `postinstall.cjs` to install `bip40` during package installation. The malware can steal Google Chrome credentials, API tokens, and MetaMask seed phrases, and it can execute commands, take screenshots, and upload files via Discord API endpoints. The packages were taken down by November 2025.
Related Happenings
Malicious npm packages delivering Windows RAT
Malware Activity
H score3
First: 23.06.2026 11:54
Last: 23.06.2026 11:54
Sources 1
About this happening:
A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Malicious npm packages delivering Windows RAT
Malware ActivityAbout this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware Activity
H score22
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware ActivityAbout this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
Latest development: 29.05.2026 11:10
mouse5212-super-formatter leaked a hardcoded GitHub token, exposing the operator's credential and allowing about seven theft sessions to be observed in the attacker's GitHub repository; the malicious npm package recursively copied files from a victim machine, uploaded them through the GitHub Contents API, and was later removed from npm.
Discord defaults voice and video calls to end-to-end encryption
Security Tool/Service
H score58
First: 19.05.2026 23:37
Last: 19.05.2026 23:37
Sources 1
About this happening:
**Discord** has made **end-to-end encryption (E2EE)** the default for **voice and video calls**, strengthening privacy across a widely used communications platform. The rollout wa...
Discord defaults voice and video calls to end-to-end encryption
Security Tool/ServiceAbout this happening: **Discord** has made **end-to-end encryption (E2EE)** the default for **voice and video calls**, strengthening privacy across a widely used communications platform. The rollout wa...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
H score22
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Secret Blizzard Kazuar modular P2P botnet
Malware Activity
H score28
First: 16.05.2026 17:15
Last: 16.05.2026 17:15
Sources 1
About this happening:
**Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...
Secret Blizzard Kazuar modular P2P botnet
Malware ActivityAbout this happening: **Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...
Timeline
-
05.01.2026 09:48 3 articles · 6mo ago
VVS Stealer disclosed targeting Discord credentials
Initial DisclosurePalo Alto Networks Unit 42 disclosed VVS Stealer (VVS $tealer), a Python-based information stealer that has been sold on Telegram since at least April 2025 and is used to harvest Discord credentials and tokens. The malware uses Pyarmor-obfuscated code, is distributed as a PyInstaller package, persists through the Windows Startup folder, steals Chromium and Firefox browser data and screenshots, and can hijack Discord sessions by terminating the app, downloading an obfuscated JavaScript payload, and monitoring traffic through the Chrome DevTools Protocol (CDP).
Show sources
- New VVS Stealer Malware Targets Discord Accounts via Obfuscated Python Code — thehackernews.com — 05.01.2026 09:48
- New VVS Stealer Malware Targets Discord Accounts via Obfuscated Python Code — thehackernews.com — 05.01.2026 09:48
- Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages — thehackernews.com — 08.01.2026 12:31