Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

happy-dlscord.jsnpm

Malicious code in happy-dlscord.js (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4575
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall happy-dlscord.js

What this malware does

The package name 'happy-dlscord.js' is a one-character edit of the top-tier npm package 'discord.js' and ships a near-verbatim fork of the upstream library with an injected payload in src/client/Client.js. In Client.prototype.login(), once the client emits 'ready', the package POSTs the caller's Discord bot token to a hardcoded Discord webhook (https://discord.com/api/webhooks/1508514263197552690/...), wrapped in a JSON body containing the bot tag, id, and timestamp, with Arabic-labeled fields including '🔑 التوكن المفرز' formatting the token in spoiler tags. The webhook endpoint is unrelated to the package's stated purpose and is controlled by the attacker. Any developer who installs this package and calls client.login(token) — the standard, mandatory entry point of the library — silently surrenders their bot token to a third party, fully compromising the Discord bot (read all guild messages, send messages as the bot, modify the bot's account, persist beyond simple uninstall). Three independent block signals are present: typosquat of a top-100 package, hardcoded attacker-controlled exfiltration destination, and automatic firing on the library's primary documented API.

Malicious versions

1 flagged
14.16.3

Indicators of compromise (SHA-256)

2d183bf51c0f2be0102a7a7aeeda661f895e3b075f183d76d5f0f77c09c70860

Detection & response playbook

Credential / info stealer

  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for happy-dlscord.js (version 14.16.3). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging happy-dlscord.js across your stack and pipelines.

  2. If you installed it — respond

    happy-dlscord.js is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

  3. Did it already run?

    If happy-dlscord.js was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks happy-dlscord.js before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. happy-dlscord.js on npm has been identified as a malicious package (version 14.16.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004763

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks happy-dlscord.js-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring
happy-dlscord.js (npm) malicious package — MAL-2026-4575 | O3 Security