Malware

Epsilon Stealer

Epsilon Stealer is an Electron-based information stealer. Reported capabilities include theft of browser credentials and cryptocurrency wallet data from infected systems. The malware has been observed in multiple delivery campaigns, including a four-stage npm supply-chain infection chain using the typosquatted packages turbo-axios and faster-axios, which impersonated Axios-related software on npm. In that activity, developers or users who installed the fake packages were exposed to Epsilon Stealer. It has also been reported in an August 2023 campaign in which victims were enticed to download and run a purported “new game,” after which Epsilon Stealer was installed. That campaign likely used compromised Discord accounts for dissemination, leveraging trust in the platform. The content places Epsilon Stealer among active stealer malware families but does not provide high-confidence attribution to a specific threat actor. Targeting is consistent with credential and wallet theft against end users, including users reached through npm typosquatting and Discord-based social engineering.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique

T1589Gather Victim Identity InformationEvidence1

Two axios typosquats on npm, turbo-axios and faster-axios, form a campaign delivering Epsilon Stealer through a four-stage chain.

Initial Access

1 technique

T1195Supply Chain CompromiseEvidence1

Two axios typosquats on npm, turbo-axios and faster-axios, form a campaign delivering Epsilon Stealer through a four-stage chain.

Execution

1 technique

T1204User ExecutionEvidence1

“deploy deceptive tactics, such as offering game cheats and false game enhancements… entice gamers into downloading and executing malicious payloads…”

Credential Access

2 techniques

T1539Steal Web Session CookieEvidence1

“information stealers frequently target Discord access tokens… Once in possession of these tokens, attackers can impersonate account owners…”

T1555Credentials from Password StoresEvidence1

The Electron infostealer grabs browser credentials, crypto wallets,...

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

safedep blogNews

Jun 6, 2026

Inside the Miasma Software Supply Chain Attack Toolkit - Real-time Open Source Software Supply Chain Security

An Electron-based infostealer delivered via npm typosquat packages that steals browser credentials and cryptocurrency wallet data.

intel471News

Feb 13, 2024

How Discord is Abused for Cybercrime | Intel 471

Information stealer delivered to Discord users via social engineering (e.g., lures to try a new game), potentially spread via compromised Discord accounts.

sekoia blogNews

Feb 6, 2024

Adversary C2 infrastructures tracked in 2023 - Sekoia.io Blog

Information stealer distributed via fake video game download websites.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.