Sophisticated npm-Based Infostealer Targets Windows Users via Malicious Packages On March 12, 2026, JFrog security researchers Guy Korolevski and Meitar Palas uncovered a stealthy cyberattack leveraging the npm ecosystem to distribute the Cipher infostealer. The malware, disguised as a Roblox script executor named "Solara," was embedded in two now-removed npm packages: bluelite-bot-manager and test-logsmodule-v-zisko. The attack chain began with pre-install scripts in the npm packages, which downloaded a Windows executable from Dropbox. Despite appearing benign on VirusTotal where it evaded nearly all antivirus detection the executable acted as a dropper, concealing a 321MB archive containing obfuscated JavaScript, a full Node.js environment, and an embedded Python script. The payload also included elevate.exe, a legitimate tool repurposed to escalate privileges. ### Discord Account Compromise Cipher prioritized Discord credential theft, employing two distinct methods: - BetterDiscord: The malware patched core files to disable webhook protections, ensuring stolen data reached attackers unimpeded. - Official Discord App: A second-stage payload, downloaded from a live GitHub repository, forced users to log out, then captured credentials, 2FA codes, and credit card details upon re-login. Persistence was achieved by modifying Discord’s installation files to auto-execute the malicious script. ### Browser & Cryptocurrency Theft The malware conducted a system-wide sweep for sensitive data, targeting: - Browsers: Chrome, Edge, Brave, Opera, and Yandex stealing passwords, cookies, autofill data, and browsing history. - Cryptocurrency Wallets: Bitcoin, Ethereum, Exodus, Electrum, and others. It actively decrypted Exodus wallet seed files using local libraries. - Python Dependency: If Python wasn’t installed, the malware silently downloaded it to ensure successful data exfiltration. Stolen data was compressed into a ZIP file and transmitted to attackers via file-sharing services or a command-and-control server. ### Response & Mitigation While the malicious npm packages and Dropbox links have been neutralized, the campaign highlights the risks of supply-chain attacks in open-source ecosystems. The use of obfuscation, legitimate tools (elevate.exe), and multi-stage payloads allowed the malware to evade detection, underscoring the need for vigilance in dependency management.

Massive Infostealer Database Exposes 184 Million Credentials in Latest Cybersecurity Threat Cybersecurity researcher Jeremiah Fowler recently uncovered an unsecured database containing over 184 million unique login credentials, underscoring the escalating danger posed by infostealer malware. The exposed data—including emails, passwords, and authorization URLs—spanned a wide range of services, from Microsoft, Facebook, and Instagram to financial institutions, healthcare portals, and government accounts. Unlike traditional data breaches, this trove was likely compiled by infostealers, a type of malware designed to silently extract credentials from infected devices. These malicious programs harvest data from browsers, email clients, messaging apps, and even cryptocurrency wallets, often spreading via phishing emails, malicious websites, or cracked software. The database’s removal from public access does not mitigate the broader threat, as infostealers continue to operate at scale. The sheer volume of exposed credentials suggests millions of individuals may be affected, though the number of unique victims is likely lower due to multiple accounts per user. Modern infostealers go beyond simple password theft, capturing autofill data, cookies, screenshots, and keystrokes, enabling attackers to bypass security measures and launch credential stuffing attacks, account takeovers, identity theft, and targeted phishing campaigns. This incident highlights the pervasive nature of infostealer infections, which allow cybercriminals to build detailed profiles of victims’ digital lives. While the exposed database has been secured, the underlying threat remains, with malware like Lumma Stealer (recently disrupted by authorities) representing just one of many sophisticated variants in circulation.

A hacker bribed a Roblox worker to gain access to the back-end customer support panel. Roblox is available across PC, Xbox, and mobile devices. Users can create their own games with their platform's engine or play others' creations. Roblox also leans heavily into microtransactions, with users able to buy game passes to access more powers and abilities, or they can purchase cosmetic items for their character with in-game currency. Roblox game developers can also cash out and earn real money from their creations. The hacker got the ability to look up personal information on over 100 million active monthly users and grant virtual in-game currency. The hacker accessed users' email addresses, as well as change passwords, remove two-factor authentication from their accounts, ban users, and more. The screenshots shared with Motherboard include the personal information of some of the most high-profile users on the platform.