JFrog security researchers Guy Korolevski and Meitar Palas uncovered a sophisticated supply chain attack <\/a>on the npm ecosystem on March 12, 2026, in which threat actors disguised an information-stealing malware as a legitimate Roblox script executor. <\/p>\n The campaign, self-named Cipher stealer<\/a>, used two malicious packages\u00a0 Each malicious package included a pre-install script that silently downloaded and executed a Windows binary called\u00a0 The executable functioned as a dropper, concealing a 321MB archive that held obfuscated JavaScript, a full Node.js runtime, and an embedded Python script<\/a>, all the components needed to run the stealer without any setup by the attacker. <\/p>\n Despite the sophistication of its payload, the executable was flagged by only one antivirus engine on VirusTotal, because static and heuristic scanners analyzed the clean outer layer of the dropper rather than its hidden JavaScript contents.<\/a>\u200b<\/p>\n Once active, Cipher aggressively targets Discord by first stealing stored session tokens from LevelDB databases across all installed Discord clients and Chromium-based browsers, then validating each token against Discord\u2019s live API. <\/p>\n For systems running BetterDiscord, the malware patches the application\u2019s core\u00a0 On the official Discord desktop client, a secondary JavaScript payload is pulled from an active GitHub repository<\/a> and injected directly into the app, forcing the user to log out and capturing their email, password, two-factor authentication codes, and even payment card details upon re-login. <\/p>\n The injected script also modifies Discord\u2019s startup files to persist across every reboot, and it is capable, though not activated in this campaign, of tricking users in 13 languages into voluntarily changing their account email address, as reported by JFrog security researchers<\/a>.<\/a>\u200b<\/p>\n Browser credential theft operates on two fronts simultaneously. The JavaScript component uses Windows DPAPI decryption libraries to directly extract master encryption keys from browser Local State files, then queries the Login Data SQLite database <\/a>to steal saved passwords from Chrome, Brave, Edge, Opera, and Yandex. <\/p>\n A parallel Python script, downloaded and installed silently if Python is not already present, covers an even wider range of browsers including Firefox, Vivaldi, CocCoc, and QQ Browser, pulling cookies, credit cards, autofill data, bookmarks, and full browsing history. <\/p>\n Meanwhile, the malware scans the system for cryptocurrency wallet directories linked to Bitcoin, Ethereum, Exodus, Electrum, Atomic Wallet, and several others, copying their contents to a staging folder disguised as a Windows system service before attempting to decrypt the Exodus wallet seed file.<\/a>\u200b<\/p>\n All stolen data is compressed into a ZIP archive and uploaded to Gofile or a fallback command-and-control server, with a summary report, including password count, cookie count, wallet names, and file download links, sent directly to the attacker\u2019s Discord webhook. <\/p>\n Both npm packages have been removed and the Dropbox links are no longer active, though the secondary GitHub repository hosting the injection script remained live at the time of discovery. <\/p>\n Users potentially exposed to these packages should immediately uninstall the packages, reinstall the Discord desktop application, rotate all passwords and session tokens, and audit their cryptocurrency wallets for unauthorised access.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n <\/a><\/p>\n The post Malicious npm Packages Posing as Solara Executor Target Discord, Browsers, and Crypto Wallets<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nbluelite-bot-manager<\/code>\u00a0and\u00a0test-logsmodule-v-zisko<\/code>, to deliver a Windows executable capable of harvesting Discord credentials, browser data, and cryptocurrency wallet files from infected systems.<\/a>\u200b<\/p>\nsolara 1.0.0.exe<\/code>\u00a0or\u00a0solara 1.0.1.exe<\/code>\u00a0from a Dropbox-hosted URL, requiring no interaction from the victim. <\/p>\n![\"Uploading](\"https:\/\/i0.wp.com\/cyberpress.org\/wp-content\/uploads\/2026\/03\/image-39-1024x429.png?resize=1024%2C429&ssl=1\")
Discord Theft and Injection<\/strong><\/h2>\n
![\"On\u00a0Discord\u00a0official](\"https:\/\/i0.wp.com\/cyberpress.org\/wp-content\/uploads\/2026\/03\/image-40.png?ssl=1\")
index.js<\/code>\u00a0file to neutralize its built-in webhook protection, ensuring that all stolen data can be sent to the attacker\u2019s Discord webhook without interference. <\/p>\nBrowser and Wallet Exfiltration<\/strong><\/h2>\n