I'm not using Chrome, and my browser doesn't have that option to save cards.
I'm also not saving passwords to browser, I have paid app for that but sadly every browser have synced passwords.
As far I understand it was able to steal tokens directly form discord as it also acts as a browser - at least in my knowledge.
It doesn't even install - it just unpacks in AppData\Local\Discord\app-1.0.9003.
You don't have to download it, login trough site redirects you to app also. Works like PWA in my opinion.
The sad story about this is that stores way too many informations.
It wasn't just active session token. They somehow managed to hack second account that was previously logged in.
Because I don't have access to that second credit card.
Its the only valid reasoning.