A heavily obfuscated and malicious NPM project is used to steal Discord user tokens and browser information from unsuspecting users. NPM is a JavaScript package manager that allows developers to download and integrate different JS modules from a public registry containing over one million packages. The ‘discord.dll’ project has been available on NPM for five months and has been downloaded one hundred times. The module is believed to be based on another project called ‘JSTokenGrabber’ that was previously on GitHub. Sonatype also discovered three other suspicious packages from the same author named ‘Discord.app’ and ‘ac-addon’
Source: https://www.bleepingcomputer.com/news/security/malicious-npm-project-steals-discord-accounts-browser-info/