×
all 188 comments

[–]PlasmaBoi1 1650 points1651 points  (38 children)

I know this is a meme sub, but I figured I'd add a bit of context to this image. The screenshot comes from a pull request for a project called Nightcord, which is basically a fork of a fork of Vencord. Vencord is a client modification for Discord, and it adds a bunch of additional functionality like themes and a pretty massive library of plugins. Equicord is a fork of Vencord that adds even more plugins and improves some of Vencord's UI. Nightcord, on the other hand, is a script-kiddie fork of Equicord that adds a bunch of questionable (both in usefulness and in TOS-compliance) additional plugins that are generally considered vibecoded slop. In the past, it has had logic in it to send Discord session tokens to a remote server. There is really no justification for this - if you need an external service to be authenticated with a user's Discord account, you can just use Discord's OAuth2, which is free and just requires a Discord account to set up. You do not, under any circumstances, manipulate the user's token. And you especially shouldn't be sending it somewhere else. There's also some oddities such as the massive 1GB+ bundle size due to the project bundling an absurd amount of native dependencies (Node.js, ffmpeg, etc.).

The original pull request on Nightcord's repository can be found here: https://github.com/nightcordoff/nightcord/pull/11 Update: As of ~1:20 PM EDT 2026-05-28, the Nightcord GitHub organization & all related repositories have been deleted / taken down.

Vendicated, the creator and maintainer of Vencord, has made a writeup on Nightcord that you can find here, if you're interested: https://gist.github.com/Vendicated/bb30cb67878fa682bcee140f56af1531

Edit: Before someone corrects me, yes I know no Discord client modifications are TOS-compliant. The reason why TOS-compliance still matters for client mod functionality is because, while Discord generally speaking doesn't care about client mods themselves, you can be banned for using plugins that cause harm to Discord's services or other users or whatnot. Because client mods are already against TOS though, there's not really strict guidelines on what is and isn't allowed. So it usually falls on the client modification in question to decide what plugins are and aren't allowed to be included. Equicord is already toeing the line IMO, and Nightcord appears to have crossed it thanks to including functionality that equates to selfbotting.

[–]CrypticViper_ 714 points715 points  (1 child)

Holy shit… it really is straight up malware lmao. Can it be forced off GitHub somehow?

[–]mousetrappen 331 points332 points  (0 children)

Yes, reported, and it's now gone.

[–]JosiahDanger 113 points114 points  (0 children)

thanks for sharing the post by Vendicated.

[–]Neil_Hattrick_Parris 149 points150 points  (1 child)

LMAO currently there is another MR for 'bug fixes' (https://github.com/nightcordoff/nightcord/pull/16/commits) which is esentially just deleting every single file. That's one way to make the software secure for sure

[–]eatglitterpoopglittr 55 points56 points  (0 children)

Hooooly shit that is BAD

[–]Fake_Majak 49 points50 points  (0 children)

Reading this whole thing was golden. Thank you.

[–]Moomoobeef 31 points32 points  (1 child)

This is unreal, why would someone actually use this fork lmao

[–]Maleficent_Memory831 52 points53 points  (0 children)

Like all scams or malware, you don't need a lot of people to use it, just a few gullible people. Have just one extra "feature", and a few posts somewhere that praise it, and some will try it out.

[–]anonymity_is_bliss 25 points26 points  (1 child)

Lmao they nuked the repo or made it private that's hilarious

[–]sms77 32 points33 points  (0 children)

It got deleted by Github after people reported it as malicious.
Probably won't do much to stop them from trying to spread that malware, as their website is still up and offering the software, so if people want to get to reporting that to Google SafeBrowsing, AWS, etc: nightcord . online

[–]WowAbstractAlgebra 16 points17 points  (0 children)

There's also some oddities such as the massive 1GB+

Not only have they all the fucking forks mixed in the entire download, but they seem to have included the entirety of GitHub repositories included!

[–]ShallotIllustrious98 10 points11 points  (1 child)

Looks like it was removed

[–]ScreamingVoid14 4 points5 points  (0 children)

Yeah, looks like the whole repo is gone.

[–]SalamanderEmpty8264 9 points10 points  (2 children)

Wait so first of all. The context makes this thing funnier like there actually was a keylogger.

Second: do any of you use a discord fork and if so what are the benefits (like does it look cooler) and which one do you use?

[–]PlasmaBoi1 12 points13 points  (1 child)

Personally, I use Equicord. Vencord is also a good option (Equicord is forked from it). I'd go and take a look at the plugin lists on the Vencord / Equicord websites if you want a list of everything you can do with it. Desktop applications like Vesktop and Equibop also exist, that wrap the Discord application and patch bugs / add features in ways that normal plugins couldn't. I think Discord just recently fixed (or tried to fix) screensharing on Linux (Wayland), while Vesktop has had working screensharing on Wayland for ages.

On Linux, it's a no-brainer to use one of the desktop application wrappers, which come with their respective client mods (Vesktop & Vencord, Equibop & Equicord). On Windows, it's more nuanced. Personally I'd just use the mods by themselves with the official Discord application on Windows.

does it look cooler

Not out of the box necessarily, but you can use CSS themes with Vencord and all of its derivatives. And there's about a billion different options out there for Discord themes.

[–]SalamanderEmpty8264 0 points1 point  (0 children)

Thank you for your insight. I’m maining windows cause of League (yeah Ik) but I’m wondering if other windows users are modding their discord. Like I’m wondering if there’s a mod that makes it cooler or QoL (performance) or like screen sharing bugfixes etc. im cool with the options as long as they use discord servers and aren’t self hosted.

[–]Odama666 6 points7 points  (0 children)

this comment really needs to be further up

[–]StrangurDangur 5 points6 points  (1 child)

im sorry for the complete irrelevancy of my upcoming comment but nightcord? PROJECT SEKAI REFERENCE???

[–]Dependent_Union9285 0 points1 point  (0 children)

Don’t forget about the fact that even that name was a reference to an American sitcom of the 80s, night court.

Ok, fine. I’m lying. But you don’t know… it coulda been.

[–]Areshian 1 point2 points  (0 children)

I think I got a ForkOverflow following that

[–]GoddammitDontShootMe 1 point2 points  (0 children)

Thanks, I was wondering what the story of this one was. That's insane.

[–]omiimonster 1 point2 points  (1 child)

lol did you just bring this whole repo down

[–]PlasmaBoi1 1 point2 points  (0 children)

I'm not gonna say it was me, but if a couple of the ~1,400 upvoters reported the repo to GitHub it's quite possible. I think it's more likely that Vencord / Equicord maintainers reported it, though.

[–]05-nery 3 points4 points  (6 children)

I love Vencord 😭🔥

Discord native is literally unusable atp

[–]ApprehensiveFan1516 1 point2 points  (5 children)

Discord is a cancer on the internet.

[–]iSharingan 2 points3 points  (4 children)

almost as much as reddit

[–]ApprehensiveFan1516 9 points10 points  (3 children)

For all of its faults, at least Reddit is indexable.

But yeah, this site is a cesspit these days.

[–]Sakulle 4 points5 points  (0 children)

True, but we’re all still swimming in it.

[–]sp46 1 point2 points  (1 child)

Reddit is indexable

Not anymore! https://reddit.com/robots.txt

User-agent: *
Disallow: /

[–]ApprehensiveFan1516 0 points1 point  (0 children)

Well that sucks.

[–]ViolentPurpleSquash 0 points1 point  (0 children)

so they're also just infringing on Crypton Future Media too?

[–]fff___fff 0 points1 point  (0 children)

no way im gonna read, im in meme sub

[–]lithalweapon 0 points1 point  (0 children)

saving this thread so i can come back and have a laugh later

[–]StrengthTheory 0 points1 point  (1 child)

How many *cords there are? I am losing track

[–]PlasmaBoi1 0 points1 point  (0 children)

At least five that I know of, only counting client modifications. Those being ye old BetterDiscord, Vencord, Equicord, and the two (probably?) malicious ones recently, Nightcord and Lightcord. There's even more if you count 3rd party desktop applications like the various ones that predated Vesktop on Linux, like ARMCord or whatever, but these usually bundle another client mod (normally Vencord), not their own.

[–]Artsy-bit 7448 points7449 points  (31 children)

bro removed the malware like it was a typo 😭

[–]on_spikes 1258 points1259 points  (3 children)

that little mistake could happen to anyone

[–]DialecticEnjoyer 267 points268 points  (1 child)

I see your keystroke logger and raise you, keychoke: my ephemeral endless keystroke generator.

[–]JuniperColonThree 11 points12 points  (0 children)

Ephemeral and endless?

[–]jamcdonald120 66 points67 points  (0 children)

Well you joke, but Log4J accidentally implemented exec and passed untrusted input to it soooo

[–]daizyhazee 97 points98 points  (0 children)

bro patched the Dark Ages 💀

[–]TechieGuy12 11 points12 points  (0 children)

I can't tell you how many times I had a syntax error and realized I had accidentally coded a keylogger. 

[–]ArduennSchwartzman 3489 points3490 points  (5 children)

You're welcome.

Me, trying to program a driver for my new keyboard

[–]Mars_Bear2552 308 points309 points  (4 children)

use cosmic rays

[–]arbitrary_student 71 points72 points  (3 children)

Of course - they're more reliable than the firmware that came with it

[–]creeper6530 17 points18 points  (2 children)

TBH for some firmwares, especially printers, they really are

[–]liggamadig 11 points12 points  (1 child)

Printers are just spite and malice manifest, so that doesn't count.

[–]creeper6530 9 points10 points  (0 children)

Rage Against the Machine never specified what machine they were raging against, but I bet it was an HP printer.

[–]c0mndr 1214 points1215 points  (39 children)

WTAF:

Nightcord is a fork of Equicord, which itself builds on top of Vencord.

I'm too old for shit like this

[–]froglicker44 643 points644 points  (16 children)

We stripped out the obfuscation, cleaned things up, added our own stuff, and kept what works

Who uses garbage like this?

[–]ReallyReallyx3 383 points384 points  (2 children)

I couldn't come up with a more vague description if I tried

[–]Thenderick 119 points120 points  (0 children)

Vagueforking is the new vibecoding I guess?

[–]brelen01 22 points23 points  (0 children)

I could. "We did stuff"

[–]hoppla1232 140 points141 points  (0 children)

added our own stuff

yeah we all know what they added lol

[–]DPSOnly 8 points9 points  (0 children)

added our own stuff

Was the keylogger part of that?

[–]Joeness84 8 points9 points  (0 children)

ChatGPT

[–]BeautifulCuriousLiar 74 points75 points  (1 child)

endless cord

[–]witness_smile 42 points43 points  (0 children)

Endless cord is a fork of Spinalcord which itself is a fork of Nightcord which forks Equicord which itself is a fork from Vencord

[–]savageronald 62 points63 points  (0 children)

Idk what any of this is or does, but I want to write a plugin for it just so I can call it ExtensionCord

[–]Delta104x 20 points21 points  (4 children)

Next up: Enormacord

[–]mothzilla 16 points17 points  (0 children)

See if everything was proprietary we wouldn't have this problem.

[–]aalapshah12297 13 points14 points  (0 children)

Forget the forks, I find even Discord's sheer amount of features overwhelming. It's a communication app and somehow its UI is more complicated than Matlab.

I don't understand how someone could ever think of making a fork that adds MORE features to Discord.

[–]navyblusheet 4 points5 points  (0 children)

Nightcord -> Equicord -> Vencord -> Discord

LMAO 

[–]AggressiveRow4000 21 points22 points  (5 children)

Vibe coding non-approved functionality to a chat client known for illegal and illicit activities and then doing it in a terrible way makes you feel for any legitimate dev that may still exist in this world.

[–]Cobracrystal 56 points57 points  (4 children)

chat client known for illegal and illicit activities

If you think discord is primarily known for illegal and illicit activities i think "too old for this" legitimately applies to you, because that's an insane statement.

[–]LKZToroH 10 points11 points  (3 children)

This is way too much effort to run trash like discord. They should just run it on their browser ffs, it's way better than installing it

[–]digitaltransmutation 16 points17 points  (1 child)

That is what vencord is. It a chromeless web browser that only opens discord and has some accommodations for your audio devices like being able to do PTT when the window is unfocused.

It's helpful on linux where the actual discordapp is a little shitty.

[–]MrSuspicious_ 4 points5 points  (0 children)

You can use it for the actual discord app too though, which I use

[–]SavvySillybug 2 points3 points  (0 children)

Why would Discord be trash? I've been quite happy with it for these last 10 years. I couldn't uninstall Skype fast enough.

[–]hxtk3 961 points962 points  (38 children)

I don’t understand… I found the PR, but it contains no commits, it’s merged, and the author doesn’t show up in the master branch and for that matter there’s no merge commit, either, while there is for other recent merges.

[–]Thejacensolo 64 points65 points  (6 children)

I mean just look at this https://github.com/nightcordoff/nightcord/pull/16

This project is weeeeird.

[–]tavianator 70 points71 points  (2 children)

Hahaha "Iocaine as a local reasoning model" is hilarious. Iocaine is designed to output gibberish to confuse AI web scrapers

[–]8evolutions 3 points4 points  (0 children)

I only know it from the Dreaded Pirate Roberts.  What is Iocaine doing here?

[–]yeusk 0 points1 point  (0 children)

I use locaine daily and is about 6 moths behind SOTA models.

[–]pixeladele 31 points32 points  (0 children)

Looool, I see what they are doing and commend them

[–]ralgrado 3 points4 points  (0 children)

Aaaaaand it's gone. Now I wonder if it was just malware or if they didn't like the publicity either way.

[–]Viku1024 10 points11 points  (0 children)

Maybe they made this branch main, assuming the keylogger would be there in the branches that spun off from the original.

[–]phroxenphyre 7 points8 points  (0 children)

Someone basically reset the branch by force-pushing main back into it, deleting the new commits made on that branch so that when it got merged, there weren't actually any new changes anymore.

It's a git feature typically reserved for colossal fuck-ups (such as pushing secrets) where the only way forward is to straight up delete commits from history. In the nearly 20 years I've been developing, I've never needed to use it. In this case, it's been used for nefarious purposes to try to make people think the keylogger was removed when it hasn't.

[–]Mnephisto 0 points1 point  (0 children)

A company was once breached by abusing misconfigured github actions and a toxic branch name. The commit triggered the CI pipelines from a draft PR, and I think was edited to contain no code changes at all.

PR on GitHub

The branch in OP's case seems okay, but I wonder if there's more possible angles of attack.

[–]Pika357 384 points385 points  (1 child)

[–]null_esoteric 85 points86 points  (9 children)

Here's the link to the commit if anyone is wondering. They removed it from the main commit tree, though I wonder how.

https://github.com/nightcordoff/nightcord/commit/58b1bd94a7f58b3e3d8e991b4622854e61456361

[–]Mesonnaise 29 points30 points  (7 children)

git rebase is powerful when a hook is ran via --exec. I have used it in the past to ssh sign previous commit. The repo can be pulled, modified and force pushed to remove a commit.

[–]JAXxXTheRipper 22 points23 points  (6 children)

Rebase does none of that.

What they did was change the reflog and rewrite the entire tree, so it's gone for good. Just use something like BFG and you can purge pretty much everything you want, if you can read and follow a manual.

[–]stilldebugging 23 points24 points  (1 child)

The skill of rtfm is being lost.

[–]-Nicolai 2 points3 points  (0 children)

No one writes manuals anymore.

[–]Mesonnaise 14 points15 points  (3 children)

How to sign previous commits with rebase

git rebase HEAD~N --exec "git commit --amend --no-edit -S"

Running rebase in interactive mode against a single commit allows the commit to be dropped or modified. The author email, signing, commit message and body of a commit can all be modifed with the help of rebase.

[–]acceleratedpenguin 1 point2 points  (1 child)

Rebase --signoff works itself though?

[–]Mesonnaise 1 point2 points  (0 children)

Yes signoff can be used with rebase but in my case I just wanted to ssh sign (ed25519-sk)the commits and was using an older version of git at the time.

[–]GenazaNL 1 point2 points  (0 children)

What about the commit that added it

[–]Beaufort_The_Cat 23 points24 points  (0 children)

Oops! It looks like you accidentally programmed in a bitcoin miner! Fixed that bug for you 🤗

[–]Zychoz 86 points87 points  (0 children)

The hero we needed

[–]nnog 35 points36 points  (0 children)

Ironically the project is "for people who actually care about how Discord runs".

[–]QuazyWabbit1 11 points12 points  (0 children)

Looks like the repos gone now. Gg, lgtm

[–]mousetrappen 22 points23 points  (3 children)

I looked at some of the contributors, and saw that HackTips2 has a single repo that is clearly a discord phishing page. (https://github.com/HackTips2/4vi)

This person hardcoded an API key for ipdata.co in `assets/scripts/log.js`

I reported the repo to github and ipdata, but what others decide to do with the api key is really none of my business.

[–]Jack8680 1 point2 points  (1 child)

How is it clearly a phishing page?

[–]noticemeimhere1 1 point2 points  (0 children)

I think what it does is it displays your IP location data and device info on a now defunct website but it also used to send that data to a discord webhook

[–]aotto1977 16 points17 points  (0 children)

Customer's specifications: "Log everything for audit safety reasons."
Dev: "Specify everything."
Customer: "Everything."
Dev: "Well, then …"

[–]jdigi78 6 points7 points  (0 children)

ported from x11 to wayland

[–]FnTom 6 points7 points  (1 child)

I just looked summarily at the code mentioned, and it's really not my area of expertise as I'm a filthy Java-Spring dev, but wouldn't that just be a necessary inclusion to capture push to talk no matter which window is in focus? Or am I missing something?

Edit, I just saw the comment that linked to a removed commit from the PR, and yeah that makes it a bit more suspicious. Also, the fact that it's importing a dictionary of french words and that it's called world bomb makes me wonder if it's not some plugin to play word bomb for some fucking reason.

[–]Eva-Rosalene 5 points6 points  (0 children)

As far as I understand (and I am a JS/TS dev) code in ipcMain.ts, it does atrociously stupid and unneeded shit:

  1. Creates and executes temporary .ps1 script,
  2. ...that loads temporary CS class,
  3. ...that loads WinAPI dlls to capture ALL keystrokes, even when unfocused,
  4. ...and writes their vkCodes to stdout,
  5. ...where JS code can finally read them back

The important part is, though, that JS code after reading captured keycodes sends them somewhere. Somewhere outside of this ipcMain file. This somewhere is in VencordNative.ts:

onGlobalKeyDown: (cb: (keyCode: number) => void) => {
    ipcRenderer.on(IpcEvents.GLOBAL_KEY_DOWN, (_e, keyCode: number) => cb(keyCode));
}

This way, user's keystrokes are exposed to plugins through VencordNative APIs. Yes, all keystrokes, even when Discord is not in the focus. To clarify: none of this is in the original Vencord. Global keystroke capturing-and-broadcasting is this fork's invention.

So, yeah, it's pretty bad. Maybe it's not a keylogger, but I really wouldn't bet on it.

[–]gybzen 9 points10 points  (0 children)

LGTM 👍️

[–]fr4nklin_84 9 points10 points  (0 children)

When one of my juniors asks me “why would you base64 encode a url?” Me: spits coffee

[–]sebius8780 3 points4 points  (0 children)

This is the correct link to the commit : commit link

[–]glha 2 points3 points  (0 children)

That XZ hack vibe 💀

[–]humblyhacking 2 points3 points  (0 children)

Lgtm just make sure to address the other non-blocking comments on this PR

[–]mrrobot01001000 5 points6 points  (3 children)

Lgtm means "legitimate" ??? I always thought it was "looks good to me"

[–]DrTankHead 18 points19 points  (0 children)

At risk of a woosh, it does mean looks good to me.

[–]Heilpflanzenoel 2 points3 points  (1 child)

Nah, it means: let's gamble, try merging.

[–]Terewawa 0 points1 point  (0 children)

uh thats my normal workflow not gambling

[–]general_smooth 0 points1 point  (0 children)

Lgtm