Malicious npm Packages Steal Discord and Crypto Data

What Happened

On March 12, 2026, JFrog security researchers uncovered a sophisticated supply chain attack targeting the npm^? ecosystem. This attack involved threat actors disguising an information-stealing malware as a legitimate Roblox script executor. The campaign, dubbed Cipher stealer, utilized two malicious npm^? packages named bluelite-bot-manager and test-logsmodule-v-zisko. These packages delivered a Windows executable that harvested sensitive information, including Discord^? credentials, browser data, and cryptocurrency wallet files from infected systems.

The malicious packages contained a pre-install script that silently downloaded and executed a Windows binary called solara 1.0.0.exe or solara 1.0.1.exe from a Dropbox-hosted URL. This required no interaction from the victim, making it particularly dangerous. Despite its sophisticated payload^?, the executable was flagged by only one antivirus engine on VirusTotal, as it cleverly concealed its malicious components within a seemingly harmless outer layer.

Who's Being Targeted

The primary targets of this attack are users of Discord, various web browsers, and cryptocurrency wallets. Once the malware is activated, it aggressively targets Discord^? by stealing stored session tokens^? from LevelDB databases across all installed Discord^? clients and Chromium-based browsers. This allows attackers to validate tokens against Discord^?’s live API, gaining unauthorized access to user accounts.

For systems running BetterDiscord, the malware even patches the application’s core files to disable built-in protections. This ensures that all stolen data can be sent to the attacker's Discord^? webhook without any hindrance. The attack is designed to capture sensitive information such as email addresses, passwords, two-factor authentication^? codes, and payment card details, making it a serious threat to users.

Signs of Infection

Indicators of infection include unusual activity on Discord^? accounts or unauthorized access to cryptocurrency wallets. The malware operates on multiple fronts, stealing browser credentials and cryptocurrency wallet information simultaneously. It uses Windows DPAPI decryption^? libraries to extract master encryption keys from browser Local State files and queries the Login Data SQLite database to steal saved passwords from popular browsers like Chrome, Brave, and Firefox.

Moreover, the malware scans for cryptocurrency wallet directories and attempts to decrypt wallet seed files. All stolen data is compressed into a ZIP archive and uploaded to a command-and-control server^?, with a summary report sent directly to the attacker’s Discord^? webhook. Users should be vigilant for any unauthorized transactions or changes in their accounts.

How to Protect Yourself

To protect yourself from this attack, users should take immediate action. First, uninstall any potentially malicious npm^? packages and reinstall the Discord^? desktop application. Next, rotate all passwords and session tokens^? to secure accounts against unauthorized access. It's also crucial to audit cryptocurrency wallets for any signs of unauthorized access.

Both malicious npm^? packages have been removed, and the Dropbox links are no longer active. However, the secondary GitHub repository hosting the injection script was still live at the time of discovery. Staying informed about such threats and taking proactive measures can help safeguard your online presence.