[jquery]

"oops I got hacked when I hacked and/or tried to hack you" is a pretty old trick... I would be cautious about this friend.

At least it was just discord. I'd treat this as a valuable lesson on the virtue of 2FA especially if they have a habit of running untrusted executables (especially with admin permissions...)

[jrockway]

I don't think you should feel safe just because you have 2FA enabled. Local malware can wait until the next time you have to provide your second factor, and then use it to disable 2FA, etc.

My main takeaway from looking at some of the repositories is that they are deathly afraid of being run in a VM, because they think that means someone is trying to reverse engineer them. (Which I suppose makes sense; test untrusted software in a VM, if it doesn't do anything evil, then run it outside of the VM.)

[jquery]

At the end of the day, running local exes is about trust. Having 2FA enabled reduces the attack surface you have exposed, even if it doesn't eliminate it as you point out.