Which versions of discordsync are malicious?

The following PyPI versions of discordsync are flagged malicious: 1.3.0, 1.4.0. Treat any of these as compromised.

How do I remediate discordsync if I installed it?

discordsync is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed discordsync — how do I know if it already compromised me?

If discordsync was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is discordsync part of a known attack campaign?

Yes — discordsync is associated with the RLMA-2025-04154, 2025-08-dsidelib, RLUA-2026-00275 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find discordsync across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for discordsync (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging discordsync across your stack and pipelines.

Malicious package

discordsyncPyPI

Malicious code in discordsync (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-41662

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall discordsync

What this malware does

Package is runs an Infostealer targeting telegram and Discord credentials. Depending on version, the infostealer is either downloaded from an URL or embedded in the package

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-08-dsidelib

Reasons (based on the campaign):

infostealer
Downloads and executes a remote malicious script.
exfiltration-browser-data
target:telegram

Malicious versions

2 flagged

1.3.01.4.0

Indicators of compromise (SHA-256)

08ddf71ec52dd716d82c33a7b5755a4589d3e822867de52684d8c560ef229035

2582cf1717217e1659a0c2cd758bc049b2f87b40b5dc22c5b81b27bc0f5d9422

0da96b494aac7775c3c7672d4d77137cbeb6be21294b7c332a21d0bf978d364e

02a15d4a7f4db95cdad81d985e35f11d81e897bdc74a654506d89c09144584b3

bf5a14aad5c7755e3ba72595902ecc969071c48312556704a048d2f892b6d0eb

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for discordsync (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging discordsync across your stack and pipelines.
If you installed it — respond
discordsync is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If discordsync was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks discordsync before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. discordsync on PyPI has been identified as a malicious package (versions 1.3.0, 1.4.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-041542025-08-dsidelibRLUA-2026-00275

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks discordsync-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring