Severity: moderate

Exfiltrates Discord login tokens to pastebin



The discordi.js package is malware that attempts to discover and exfiltrate a user's Discord credentials, sending them to pastebin.

All versions have been unpublished from the npm registry.


Do not install / use this module. It has been unpublished from the npm registry but may exist in some caches. Any users that logged into Discord using this library will need to change their credentials.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Oct 9th, 2017
  2. reported

    Oct 9th, 2017