-= Per source details. Do not edit below this line.=-
osint packages promise to be OSINT tool, however, when providing the username to search for, the package attempts to exfiltrate Discord tokens from the user.
The original package suggests being a library for Discord exfiltration, what is suspicious on its own, but in addition, the entry point located in main.py exfiltrate local Discord tokens to a hardcoded webhook.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2024-09-discord-token-lib
Reasons (based on the campaign):
exfiltration-generic
action-hidden-in-lib-usage
{
"iocs": {
"urls": [
"https://discord.com/api/webhooks/1271645951026659339/wWCSAlPG3TuhycH7ex6h9O48nKdFn4G55WUk4-lgay4RQTpCbbt-DYuo9jLIHYEReQKj"
]
},
"malicious-packages-origins": [
{
"id": "pypi/2024-09-discord-token-lib/osint-tool",
"modified_time": "2024-10-02T07:55:07Z",
"import_time": "2025-12-02T22:30:55.415941911Z",
"sha256": "0d5c4163ca79428423dab39798608ee8cc3f01459134f4ebaaa304b7707bd43e",
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"source": "kam193"
},
{
"id": "pypi/2024-09-discord-token-lib/osint-tool",
"modified_time": "2024-10-02T07:55:07Z",
"import_time": "2025-12-02T23:07:18.444513372Z",
"sha256": "10a834a37294b0f3aaf52345444f8c5c2a15dde780c8342446c53ecc05d623c0",
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"source": "kam193"
},
{
"versions": [
"0.1",
"0.2",
"0.5",
"0.4"
],
"id": "pypi/2024-09-discord-token-lib/osint-tool",
"modified_time": "2024-10-02T07:55:07Z",
"import_time": "2025-12-10T21:38:57.662970187Z",
"sha256": "021db96fc63001447434cd54e4264a624c68527ba98de376627ee718e26f52ce",
"source": "kam193"
},
{
"versions": [
"0.1",
"0.2",
"0.4",
"0.5"
],
"id": "pypi/2024-09-discord-token-lib/osint-tool",
"modified_time": "2024-10-02T07:55:07Z",
"import_time": "2025-12-30T22:39:04.13721137Z",
"sha256": "b1826528a64b1a5d346db7a26ccf0ee6de648d2542ea1244040cc644c625ac69",
"source": "kam193"
}
]
}