Which versions of discordbotpresence are malicious?

The following PyPI versions of discordbotpresence are flagged malicious: 0.6.7. Treat any of these as compromised.

How do I remediate discordbotpresence if I installed it?

discordbotpresence is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed discordbotpresence — how do I know if it already compromised me?

If discordbotpresence was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is discordbotpresence part of a known attack campaign?

Yes — discordbotpresence is associated with the RLMA-2025-00458, 2024-12-discordbotstatus, RLUA-2026-00270 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find discordbotpresence across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for discordbotpresence (version 0.6.7). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging discordbotpresence across your stack and pipelines.

Malicious package

discordbotpresencePyPI

Malicious code in discordbotpresence (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-919

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall discordbotpresence

What this malware does

Package clones another package and hides a code to download and run a malicious exe file (an infostealer with high VT detection)

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-12-discordbotstatus

Reasons (based on the campaign):

clones-real-package
Downloads and executes a remote executable.
infostealer

Malicious versions

1 flagged

0.6.7

Indicators of compromise (SHA-256)

5ee440478e912a2c718f5429bcbf5f219b9785a2c671649b64a01fe0756d96d9

d24a9df81177e2a45e286f010136d622d865f3851a194265e0a18d8e4d43b68f

feb07b6deb53d133f7121c755a98920d1753dd75c4099e51e4dcb84d650d84fa

5b9e686f62d279a31f248ed48db1e67a02b20e7c4a7744d9d1481663a23c0884

a14ed354ae3bfba0b48e8bfffb44872d9b60f8dbfc82695de9e1852c33b593a1

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for discordbotpresence (version 0.6.7). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging discordbotpresence across your stack and pipelines.
If you installed it — respond
discordbotpresence is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If discordbotpresence was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks discordbotpresence before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. discordbotpresence on PyPI has been identified as a malicious package (version 0.6.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-004582024-12-discordbotstatusRLUA-2026-00270

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks discordbotpresence-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring