New npm Infostealer Discovery: Nyx Stealer Hijacks Discord Sessions

TL;DR The Xygeni Security Research Team identified a sophisticated npm infostealer campaign delivered through two malicious packages: consolelofy and selfbot-lofy . The latest version ( consolelofy@1.3.0 ) embeds a 216KB AES-encrypted payload that decrypts at runtime and executes via vm.runInNewContext() . Because the malicious logic is fully encrypted, static scanners relying on string inspection cannot observe its behavior until execution time. Once decrypted, the payload, internally branded Nyx Stealer , targets: Discord authentication tokens 50+ browser credential stores 90+ cryptocurrency wallet extensions Roblox, Instagram, Spotify, Steam, Telegram, and TikTok sessions Discord desktop client persistence All 20 versions across both packages were reported and confirmed malicious. Technical Overview of This npm Infostealer Unlike traditional install-time malware, this campaign relies on a runtime decryption model . There are: No malicious preinstall or postinstall hooks No obvious i

New npm Infostealer Discovery: Nyx Stealer Hijacks Discord Sessions

Related Articles

7 Coding Habits That Will Improve Your Skills

A Multi-Agent Code for Trading with Prompts

Algorithms I Finally Understood — Part 1: Why Algorithms Exist (Before We Even Write Code)

Building a Real-Time Customer Support System in .NET

Apple iPhone 17e: Specs, Features, Release Date, Price

Related Articles

How-To
7 Coding Habits That Will Improve Your Skills
Medium Programming • 14h ago

How-To
A Multi-Agent Code for Trading with Prompts
Medium Programming • 16h ago

How-To
Algorithms I Finally Understood — Part 1: Why Algorithms Exist (Before We Even Write Code)
Medium Programming • 17h ago

How-To
Building a Real-Time Customer Support System in .NET
Medium Programming • 17h ago

How-To
Apple iPhone 17e: Specs, Features, Release Date, Price
Wired • 18h ago