Sophisticated npm-Based Infostealer Targets Windows Users via Malicious Packages
On March 12, 2026, JFrog security researchers Guy Korolevski and Meitar Palas uncovered a stealthy cyberattack leveraging the npm ecosystem to distribute the Cipher infostealer. The malware, disguised as a Roblox script executor named "Solara," was embedded in two now-removed npm packages: bluelite-bot-manager and test-logsmodule-v-zisko.
The attack chain began with pre-install scripts in the npm packages, which downloaded a Windows executable from Dropbox. Despite appearing benign on VirusTotal where it evaded nearly all antivirus detection the executable acted as a dropper, concealing a 321MB archive containing obfuscated JavaScript, a full Node.js environment, and an embedded Python script. The payload also included elevate.exe, a legitimate tool repurposed to escalate privileges.
Discord Account Compromise
Cipher prioritized Discord credential theft, employing two distinct methods:
- BetterDiscord: The malware patched core files to disable webhook protections, ensuring stolen data reached attackers unimpeded.
- Official Discord App: A second-stage payload, downloaded from a live GitHub repository, forced users to log out, then captured credentials, 2FA codes, and credit card details upon re-login. Persistence was achieved by modifying Discord’s installation files to auto-execute the malicious script.
Browser & Cryptocurrency Theft
The malware conducted a system-wide sweep for sensitive data, targeting:
- Browsers: Chrome, Edge, Brave, Opera, and Yandex stealing passwords, cookies, autofill data, and browsing history.
- Cryptocurrency Wallets: Bitcoin, Ethereum, Exodus, Electrum, and others. It actively decrypted Exodus wallet seed files using local libraries.
- Python Dependency: If Python wasn’t installed, the malware silently downloaded it to ensure successful data exfiltration.
Stolen data was compressed into a ZIP file and transmitted to attackers via file-sharing services or a command-and-control server.
Response & Mitigation
While the malicious npm packages and Dropbox links have been neutralized, the campaign highlights the risks of supply-chain attacks in open-source ecosystems. The use of obfuscation, legitimate tools (elevate.exe), and multi-stage payloads allowed the malware to evade detection, underscoring the need for vigilance in dependency management.
Source: https://cyberpress.org/malicious-npm-campaign-steal-discord-and-crypto-wallet-data/
Dropbox cybersecurity rating report: https://www.rankiteo.com/company/Dropbox
Roblox cybersecurity rating report: https://www.rankiteo.com/company/roblox
npm, Inc. cybersecurity rating report: https://www.rankiteo.com/company/npm-inc-
GitHub cybersecurity rating report: https://www.rankiteo.com/company/github
"id": "DROROBNPMGIT1773476652",
"linkid": "Dropbox, roblox, npm-inc-, github",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Software Development, Gaming (Roblox)',
'location': 'Global',
'name': 'npm users (Windows)',
'type': 'Open-source ecosystem users'}],
'attack_vector': 'Malicious npm packages',
'data_breach': {'data_encryption': 'No (data was decrypted for exfiltration)',
'data_exfiltration': 'Yes, via file-sharing services or C2 '
'server',
'file_types_exposed': ['ZIP',
'Executables',
'JavaScript',
'Python scripts'],
'personally_identifiable_information': 'Yes (Discord '
'credentials, credit '
'card details, browser '
'data)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Discord credentials',
'2FA codes',
'Credit card details',
'Browser data (passwords, '
'cookies, autofill, history)',
'Cryptocurrency wallet seeds']},
'date_detected': '2026-03-12',
'date_publicly_disclosed': '2026-03-12',
'description': 'JFrog security researchers uncovered a stealthy cyberattack '
'leveraging the npm ecosystem to distribute the Cipher '
'infostealer. The malware, disguised as a Roblox script '
"executor named 'Solara,' was embedded in two npm packages: "
'bluelite-bot-manager and test-logsmodule-v-zisko. The attack '
'chain involved pre-install scripts downloading a Windows '
'executable from Dropbox, which acted as a dropper for a 321MB '
'archive containing obfuscated JavaScript, Node.js, and Python '
'scripts. The malware targeted Discord credentials, browser '
'data, and cryptocurrency wallets, exfiltrating stolen data '
'via file-sharing services or a C2 server.',
'impact': {'data_compromised': 'Discord credentials, 2FA codes, credit card '
'details, browser data (passwords, cookies, '
'autofill, history), cryptocurrency wallet '
'seeds',
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': 'Windows systems with npm package '
'installations'},
'initial_access_broker': {'entry_point': 'Malicious npm packages',
'high_value_targets': 'Discord users, '
'cryptocurrency wallet '
'holders'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Highlights risks of supply-chain attacks in open-source '
'ecosystems; need for vigilance in dependency management.',
'motivation': 'Data theft, financial gain',
'post_incident_analysis': {'corrective_actions': 'Neutralization of malicious '
'npm packages and Dropbox '
'links; improved detection '
'mechanisms for pre-install '
'scripts and obfuscated '
'payloads',
'root_causes': 'Supply-chain attack via npm '
'ecosystem, use of obfuscation and '
'legitimate tools (elevate.exe) to '
'evade detection'},
'recommendations': 'Enhanced scrutiny of npm packages, monitoring for '
'pre-install scripts, and improved detection of obfuscated '
'payloads.',
'references': [{'date_accessed': '2026-03-12',
'source': 'JFrog Security Research'}],
'response': {'containment_measures': 'Malicious npm packages and Dropbox '
'links neutralized',
'third_party_assistance': 'JFrog security researchers'},
'title': 'Sophisticated npm-Based Infostealer Targets Windows Users via '
'Malicious Packages',
'type': 'Infostealer',
'vulnerability_exploited': 'Supply-chain attack via npm ecosystem'}