packages/docs/src/pages/en/about/incidents/2026-06-nyven-infostealer.md
This page documents the June 2026 security incident affecting Vuetify's Discord support account.
<PageFeatures />::: info TLDR: On 2026-06-03, a Vuetify maintainer's personal machine was compromised by a commodity infostealer after a social-engineering lure. The attacker used credentials harvested from the browser to take over the Vuetify Discord support account, added 2FA to lock the owner out, and sent an extortion demand, which was refused. No Vuetify package, source, release, CI pipeline, or user data was affected. The Discord account was recovered on 2026-06-10, but the original community server was deleted and cannot be restored; the community now lives on a replacement server — see Where to find us now. :::
On 2026-06-03, a Vuetify maintainer ran an unsigned installer that was a packaged infostealer. It harvested the credentials, cookies, and autofill data saved in the browser and exfiltrated them.
The attacker used those credentials to take over the Vuetify Discord support account. After taking control, the attacker added 2FA to lock the owner out and sent an extortion demand under threat to leak and sell the data. The demand was refused and no payment was made.
The compromise was limited to one personal machine and the accounts reachable from it. No part of Vuetify's software supply chain was affected.
| Asset | Status |
|---|---|
| npm packages & releases | Not affected. No package was modified, tampered with, or published. |
| Source & GitHub org | Not affected. No repository, branch, tag, or release was altered. |
| CI/CD & infrastructure | Not affected. |
| User data & databases | Not affected. |
| Google Workspace | Not breached. The vuetifyjs.com account was auto-suspended by Google as a precaution; the password was reset and control retained. |
| Discord support account | Recovered (2026-06-10). The attacker added 2FA after taking it over; the account was later recovered, but the original community server was deleted and cannot be restored, per Discord support. |
| Browser-stored secrets | Exposed. Saved credentials, cookies, and autofill on the affected machine are treated as compromised and have been rotated or removed pending an internal audit. |
| Developer tokens & keys | Treated as exposed. Tokens on the host, including those with npm/GitHub access, have been rotated or removed and their sessions revoked, pending an internal audit. No evidence any were used against project infrastructure. |
Credentials and tokens on the machine that could reach npm or GitHub have been rotated or removed pending an internal audit. Vuetify's release pipeline already enforces several layers of protection, including OIDC-based trusted publishing to npm and mandatory two-factor authentication, which limit what any single stolen credential can do. There is no sign any were used against Vuetify's packages, repositories, or releases, and all areas of the ecosystem are being actively monitored for suspicious activity. No action is required of users.
All times are UTC on 2026-06-03 unless noted. Approximate times are marked with ~.
| Time (UTC) | Event | Detail |
|---|---|---|
~17:00 | Installer downloaded | The unsigned installer was downloaded from the throwaway site. |
17:06 | Malware executed | The installer was run; the infostealer harvested browser-stored credentials and cookies and exfiltrated them. |
17:08 | Host isolated | The machine was disconnected from the network. |
17:16 | Extortion email received | The attacker emailed claiming to hold the stolen passwords, cookies, and autofill data. |
17:25 | Refused to engage | The attacker's contact was declined. |
~17:46–17:58 | Discord account takeover | The attacker used the stolen credentials to seize the Vuetify support account and added 2FA to lock the owner out. |
18:06 | Email/GitHub secured | Email and GitHub passwords were changed and all sessions forced to re-authenticate. |
18:10 | OAuth revoked | Third-party OAuth grants were revoked and active sessions cut. |
18:25 | Payment demanded | The attacker demanded payment under threat to leak and sell the data; no payment was made. |
2026-06-04 | Discord recovery blocked | Self-service recovery failed because of the attacker-added 2FA; a recovery case was opened with Discord. |
2026-06-05 | Replacement server opened | A new Vuetify Discord server was opened as the verified home for the community. |
2026-06-10 | Account recovered; server lost | The support account was recovered. Discord support confirmed the original server was deleted and cannot be restored. |
The maintainer was led to a throwaway website and ran an unsigned installer that was malware. Because credentials were stored in the browser, a single execution exposed the full set at once.
The Vuetify Discord support account has been recovered. The original community server, however, was deleted, and Discord support has confirmed there is no ability to restore it — the loss of the server, its channels, and its message history is permanent.
A replacement server was opened while recovery was pending and is now the official home of the Vuetify community on Discord. The verified invite is in Where to find us now.
The exfiltration channel and the attacker's delivery infrastructure have been reported to the relevant platforms.
::: warning The original server is permanently gone. We have started rebuilding and you can request an invite by going to https://community.vuetifyjs.com.
If any other server, or any direct message, claims to be us and asks for money, credentials, or 2FA codes, it is not us. :::
Changes to the official channels will be posted here and on vuetifyjs.com, the GitHub organization, and @vuetifyjs on X.
A complete evidence package has been preserved: forensic artifacts, the full set of indicators of compromise, and the malware sample. Security vendors, researchers, CERT/CSIRTs, and platform trust-and-safety teams that can action it can request it at [email protected] (subject: INCIDENT).
A subset of indicators is published below; the complete set is available on request.
NyvenSetupV1.exe) downloaded from a throwaway *.pages.dev site (nyvanbeta.pages.dev).Full indicators (file hashes, exfiltration channel identifiers, and build metadata) are withheld here to avoid interfering with platform recovery, and are shared with vetted parties on request.
Questions about this incident, or related information, can be sent to [email protected]
Dated entries are added here rather than editing the report above.
| Date | Update |
|---|---|
| 2026-06-05 | Initial publication. |
| 2026-06-10 | The Discord support account has been recovered. Discord support confirmed the original server was deleted and cannot be restored; the replacement server is now active at https://community.vuetifyjs.com. |