A buddy of mine got hit by one of these recently. He got a message from a friend asking him to try a demo of new video game. His friend is a video game developer so this didn't seem suspicious. The "video game" had a landing page and everything. Turns out that his friend's account had already been hacked and the "video game" was a stealer like this. TL;DR: he lost his account and that same hacker tried to get me with the same scheme.
Discord support has been completely unhelpful, because he didn't have 2FA enabled before and the hacker added it.
"oops I got hacked when I hacked and/or tried to hack you" is a pretty old trick... I would be cautious about this friend.
At least it was just discord. I'd treat this as a valuable lesson on the virtue of 2FA especially if they have a habit of running untrusted executables (especially with admin permissions...)
I don't think you should feel safe just because you have 2FA enabled. Local malware can wait until the next time you have to provide your second factor, and then use it to disable 2FA, etc.
My main takeaway from looking at some of the repositories is that they are deathly afraid of being run in a VM, because they think that means someone is trying to reverse engineer them. (Which I suppose makes sense; test untrusted software in a VM, if it doesn't do anything evil, then run it outside of the VM.)
At the end of the day, running local exes is about trust. Having 2FA enabled reduces the attack surface you have exposed, even if it doesn't eliminate it as you point out.
I think they just mean that recovering the account post-compromise was not possible because they didn't have 2fa already setup to authorize them as the true owner of the account, not that 2fa would've prevented the issue
Discord support has been completely unhelpful, because he didn't have 2FA enabled before and the hacker added it.