A malicious npm campaign pretends to be Solara Executor in order to steal Discord and crypto wallet information.

A new cybersecurity threat has come from the npm ecosystem, where hackers were able to hide a complex information stealer inside packages that looked safe. On March 12, 2026, JFrog security researchers Guy Korolevski and Meitar Palas said they had found two bad packages that were meant to deliver the Cipher infostealer. The malware pretends to be a Roblox script executor called "Solara" and goes after Windows systems to quietly steal Discord credentials, browser data, and cryptocurrency wallets.

The campaign used two npm packages, bluelite-bot-manager and test-logsmodule-v-zisko, but they have since been taken down. These packages used scripts that ran before the installation to download a Windows executable from Dropbox. The executable was able to get past almost all static and heuristic antivirus scanners when it was uploaded to VirusTotal because it was just a dropper.

Uploading the executable to VirusTotal gave this result (Source: JFrog). Inside, the dropper hid a 321MB archive with obfuscated JavaScript, a full Node.js environment, and an embedded Python script. The attackers were able to avoid being caught right away by not using traditional malware signatures and hiding the real payload inside a clean outer layer.

The payload also had elevate.exe, a real tool that could be misused to run commands with more system privileges. Injection of the Discord Client The Cipher stealer's main goal is to hack Discord accounts by turning off built-in security features and changing client files. The malware changes BetterDiscord's core files to get around webhook protections, making sure that stolen credentials get to the attacker's server without being stopped.

On the official Discord desktop app, a second stage is downloaded from GitHub (Source: JFrog). The JavaScript downloads an extra payload from a live GitHub repository for the official Discord app. The script that was injected makes users log out, and then when they log back in, it steals their passwords, two-factor authentication codes, and credit card information.

To stay persistent, the malware changes Discord's installation files so that the bad script runs automatically every time the app starts up. Browser and Crypto Wallet Theft: The malware also searches the victim's entire system for sensitive data. If Python isn't already on the system, the malware will download and install it without the user knowing to make sure the theft goes smoothly.

According to JFrog, it gets passwords, cookies, autofill data, and browsing history from local databases for Chrome, Edge, Brave, Opera, and Yandex. At the same time, the script looks for wallet files that are linked to Bitcoin, Ethereum, Exodus, Electrum, and a few other digital currencies. The malware is actively trying to use local libraries to decrypt Exodus wallet seed files.

After all the data is collected, it is moved to a temporary staging directory, zipped up into a ZIP file, and sent to the attacker through file-sharing services or a command-and-control server.

Reducing the damage and responding The npm packages and Dropbox links have been disabled, but users who may have been affected should take immediate action: Reinstall the Discord desktop app from scratch and get rid of the bad npm packages from all of your development environments. Change all of your compromised passwords, Discord tokens, and session cookies right away. Check that all cryptocurrency wallets are safe, and move money if they are not.