VVS Stealer infostealer steals Discord tokens and browser data
Malware Activity
Summary
Hide ▲
Show ▼
NodeCordRAT is a previously undocumented RAT delivered through malicious npm packages that impersonate bitcoinjs project repositories and abuse Discord for command-and-control and data theft. The campaign used `bitcoin-main-lib`, `bitcoin-lib-js`, and `bip40`, with `bitcoin-main-lib` and `bitcoin-lib-js` running `postinstall.cjs` to install `bip40` during package installation. The malware can steal Google Chrome credentials, API tokens, and MetaMask seed phrases, and it can execute commands, take screenshots, and upload files via Discord API endpoints. The packages were taken down by November 2025.
Related Happenings
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware Activity
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware ActivityAbout this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
Discord defaults voice and video calls to end-to-end encryption
Security Tool/Service
First: 19.05.2026 23:37
Last: 19.05.2026 23:37
Sources 1
About this happening:
**Discord** has made **end-to-end encryption (E2EE)** the default for **voice and video calls**, strengthening privacy across a widely used communications platform. The rollout wa...
Discord defaults voice and video calls to end-to-end encryption
Security Tool/ServiceAbout this happening: **Discord** has made **end-to-end encryption (E2EE)** the default for **voice and video calls**, strengthening privacy across a widely used communications platform. The rollout wa...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Secret Blizzard Kazuar modular P2P botnet
Malware Activity
First: 16.05.2026 17:15
Last: 16.05.2026 17:15
Sources 1
About this happening:
**Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...
Secret Blizzard Kazuar modular P2P botnet
Malware ActivityAbout this happening: **Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical Analysis
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical AnalysisAbout this happening: The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
Timeline
-
05.01.2026 09:48 3 articles · 4mo ago
VVS Stealer disclosed targeting Discord credentials
Initial DisclosurePalo Alto Networks Unit 42 disclosed VVS Stealer (VVS $tealer), a Python-based information stealer that has been sold on Telegram since at least April 2025 and is used to harvest Discord credentials and tokens. The malware uses Pyarmor-obfuscated code, is distributed as a PyInstaller package, persists through the Windows Startup folder, steals Chromium and Firefox browser data and screenshots, and can hijack Discord sessions by terminating the app, downloading an obfuscated JavaScript payload, and monitoring traffic through the Chrome DevTools Protocol (CDP).
Show sources
- New VVS Stealer Malware Targets Discord Accounts via Obfuscated Python Code — thehackernews.com — 05.01.2026 09:48
- New VVS Stealer Malware Targets Discord Accounts via Obfuscated Python Code — thehackernews.com — 05.01.2026 09:48
- Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages — thehackernews.com — 08.01.2026 12:31