NordVPN itself does not publish a single "combolist" file, but the data can be extracted from their server recommendation API or community-generated lists.
The "valid" NordVPN accounts are either sold on the dark web or used to access the user’s subscription for illegal activities. The Dangers of Using Leaked Combolists nordvpn combolist
NordVPN restricts the number of login attempts from a single IP address, making large-scale automated attacks difficult. NordVPN itself does not publish a single "combolist"
You are trusting anonymous criminals to give you a tool for anonymity. That is like asking a pickpocket to hold your wallet. nordvpn combolist
Attackers can use your email address from the list to launch phishing campaigns.