Severity: critical

Malicious Package



The package discord.dll contained malicious code. The package ran a postinstall script that exfiltrated local files such as browser local databases. The information was exfiltrated to a remote Discord webhook.


Remove the package from your system and rotate any credentials that may have been compromised.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Nov 9th, 2020
  2. reported

    Reported by Sonatype Research team
    Nov 9th, 2020