JFrog security researchers Guy Korolevski and Meitar Palas uncovered a sophisticated supply chain attack on the npm ecosystem on March 12, 2026, in which threat actors disguised an information-stealing malware as a legitimate Roblox script executor.
The campaign, self-named Cipher stealer, used two malicious packages bluelite-bot-manager and test-logsmodule-v-zisko, to deliver a Windows executable capable of harvesting Discord credentials, browser data, and cryptocurrency wallet files from infected systems.
Each malicious package included a pre-install script that silently downloaded and executed a Windows binary called solara 1.0.0.exe or solara 1.0.1.exe from a Dropbox-hosted URL, requiring no interaction from the victim.
Uploading the executable to VirusTotal showed this result (Source: JFrog)
The executable functioned as a dropper, concealing a 321MB archive that held obfuscated JavaScript, a full Node.js runtime, and an embedded Python script, all the components needed to run the stealer without any setup by the attacker.
Despite the sophistication of its payload, the executable was flagged by only one antivirus engine on VirusTotal, because static and heuristic scanners analyzed the clean outer layer of the dropper rather than its hidden JavaScript contents.
Discord Theft and Injection
Once active, Cipher aggressively targets Discord by first stealing stored session tokens from LevelDB databases across all installed Discord clients and Chromium-based browsers, then validating each token against Discord’s live API.
On Discord official desktop app – A second stage is downloaded from github (Source: JFrog)
For systems running BetterDiscord, the malware patches the application’s core index.js file to neutralize its built-in webhook protection, ensuring that all stolen data can be sent to the attacker’s Discord webhook without interference.
On the official Discord desktop client, a secondary JavaScript payload is pulled from an active GitHub repository and injected directly into the app, forcing the user to log out and capturing their email, password, two-factor authentication codes, and even payment card details upon re-login.
The injected script also modifies Discord’s startup files to persist across every reboot, and it is capable, though not activated in this campaign, of tricking users in 13 languages into voluntarily changing their account email address, as reported by JFrog security researchers.
Browser and Wallet Exfiltration
Browser credential theft operates on two fronts simultaneously. The JavaScript component uses Windows DPAPI decryption libraries to directly extract master encryption keys from browser Local State files, then queries the Login Data SQLite database to steal saved passwords from Chrome, Brave, Edge, Opera, and Yandex.
A parallel Python script, downloaded and installed silently if Python is not already present, covers an even wider range of browsers including Firefox, Vivaldi, CocCoc, and QQ Browser, pulling cookies, credit cards, autofill data, bookmarks, and full browsing history.
Meanwhile, the malware scans the system for cryptocurrency wallet directories linked to Bitcoin, Ethereum, Exodus, Electrum, Atomic Wallet, and several others, copying their contents to a staging folder disguised as a Windows system service before attempting to decrypt the Exodus wallet seed file.
All stolen data is compressed into a ZIP archive and uploaded to Gofile or a fallback command-and-control server, with a summary report, including password count, cookie count, wallet names, and file download links, sent directly to the attacker’s Discord webhook.
Both npm packages have been removed and the Dropbox links are no longer active, though the secondary GitHub repository hosting the injection script remained live at the time of discovery.
Users potentially exposed to these packages should immediately uninstall the packages, reinstall the Discord desktop application, rotate all passwords and session tokens, and audit their cryptocurrency wallets for unauthorised access.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Malicious npm Packages Posing as Solara Executor Target Discord, Browsers, and Crypto Wallets appeared first on Cyber Security News.
