Solana FakeFix Campaign Uses 25 Malicious npm and PyPI Packages to Steal Developer Secrets

A newly discovered supply chain campaign is putting Solana developers at serious risk, with attackers hiding malicious code inside fake developer packages on npm and PyPI.

The operation, tracked as “Solana FakeFix,” deployed 25 malicious packages designed to steal wallet keys, cloud credentials, SSH keys, and developer secrets the moment a package is installed or imported.

The campaign stands out for how convincing its lures are. Instead of using random package names, the threat actor crafted names closely resembling real Solana tooling, such as solana-web3-stable, solana-rpc-client, and @solana-labs/web3.js.

Developers dealing with build issues or dependency conflicts were the prime targets, making the attack feel like a helpful fix rather than a threat.

Analysts at JFrog Security Research identified the campaign and published a detailed report shared with Cyber Security News (CSN).

JFrog’s findings split the operation into two distinct clusters: the Solana FakeFix group of 20 packages targeting Solana developers, and a CMS-themed cluster of 5 packages that loaded hidden Windows executables on infected machines.

The campaign also shows a clear evolution in technique. Early versions used simple install-time scripts, while later versions shipped fully functional Solana bundles with stealer code injected after legitimate exports, making detection much harder.

The threat actor promoted packages through GitHub issue spam, opening nine issues across different projects and framing the malicious package as a community fix for the real Solana SDK.

The total scope includes 16 malicious npm packages and 4 PyPI packages under the FakeFix banner, plus 5 additional npm packages in the CMS loader group.

Each package was carefully built to appear functional during testing while quietly executing a stealer payload in the background.

Solana FakeFix Campaign Uses 25 Malicious npm and PyPI Packages

The packages used two delivery paths depending on the platform. On npm, a postinstall lifecycle hook fired a JavaScript payload the moment a developer ran an install command, requiring no further action.

On PyPI, malicious code lived inside the __init__.py file and ran as soon as the package was imported in any script, notebook, or test.

Once triggered, the payload searched for Solana keypair files, SSH private keys, AWS credential files, .env files, and environment variables containing names like KEY, SECRET, MNEMONIC, or PASSWORD. All stolen data was sent to an attacker-controlled Telegram bot in real time.

More advanced packages also installed persistent backdoors that polled Telegram for remote commands. The attacker could grab SSH keys, pull environment variables, or run arbitrary shell commands on the victim machine.

One variant tried to drain the victim’s Solana funds and redirect local RPC settings, turning a one-time stealer into a persistent remote access threat.

The actor also ran a fake MEV bot package called solana-mev-bot, using social engineering to ask users to paste their Solana private key directly. It presented itself as an automated profit tool, phishing the one credential needed to empty a wallet entirely.

The second cluster targeted Windows developers through a completely different payload family. Packages like cms-storehub, cms-helpgit, and cms-github used npm install-time PowerShell scripts to install the Deno runtime and fetch remote JavaScript from an attacker-controlled server.

The loader established persistence through Windows Registry Run keys and pulled a dynamic second-stage payload on a 30-second loop.

Two other packages, to-cms and shopifyto-cms, acted as download-and-execute droppers.

They fetched a Windows executable, launched it from the temp directory, and attempted to erase the evidence afterward. The attacker’s server also received registration telemetry, giving the operator a live record of compromised systems.

JFrog recommends that developers immediately remove all affected packages, rotate Solana wallets and any secrets potentially exposed, and audit machines for persistence artifacts including Registry Run keys, scheduled tasks, and crontab entries.

Rebuilding CI runners from clean images is strongly advised over relying on package removal alone. Any package that triggers network access at install time or runs hidden PowerShell scripts should be treated as a serious red flag.

Indicators of Compromise (IoCs):-

Affected Packages

Type	Indicator	Description
npm Package	@solana-labs/ancor	Malicious Solana SDK impersonator (XRAY-997667)
npm Package	@solana-labs/etherjs	Malicious Solana SDK impersonator (XRAY-997672)
npm Package	@solana-labs/spl-toke	Malicious Solana SDK impersonator (XRAY-997661)
npm Package	@solana-labs/web3-js	Malicious Solana SDK impersonator (XRAY-997666)
npm Package	@solana-labs/web3.js	Malicious Solana SDK impersonator (XRAY-997659)
npm Package	@solana-labs/web3js	Malicious Solana SDK impersonator (XRAY-997665)
npm Package	cms-github	CMS Windows loader (XRAY-993898)
npm Package	cms-helpgit	CMS Windows loader (XRAY-993899)
npm Package	cms-storehub	CMS Windows loader (XRAY-993703)
npm Package	shopifyto-cms	CMS dropper (XRAY-993885)
npm Package	solana-js-client	Malicious Solana package (XRAY-997805)
npm Package	solana-mev-bot	Fake MEV bot / private key phisher (XRAY-998837)
npm Package	solana-rpc-client	Malicious Solana SDK impersonator (XRAY-997811)
npm Package	solana-web3-community	Malicious Solana package (XRAY-997807)
npm Package	solana-web3-fixed	Malicious Solana package (XRAY-997809)
npm Package	solana-web3-fork	Malicious Solana package (XRAY-997799)
npm Package	solana-web3-lts	Malicious Solana package (XRAY-997810)
npm Package	solana-web3-patched	Malicious Solana package (XRAY-997800)
npm Package	solana-web3-stable	Malicious Solana package (XRAY-997812)
npm Package	solana-web3-v1	Malicious Solana package (XRAY-997808)
npm Package	to-cms	CMS dropper (XRAY-989687)
PyPI Package	solana-cli-py	Malicious PyPI Solana package (XRAY-998590)
PyPI Package	solana-web3	Malicious PyPI Solana package (XRAY-998591)
PyPI Package	solana-web3-py	Malicious PyPI Solana package (XRAY-998594)
PyPI Package	spl-token-py	Malicious PyPI Solana package (XRAY-998595)

Telegram C2 IOCs

Type	Indicator	Description
Telegram Bot Token	8870595195:AAHcwv2ZMYZU9ia_xj…	Attacker Telegram C2 bot token
Telegram Bot Token	8628389567:AAHeoLi034Vg6JI…	Attacker Telegram C2 bot token
Telegram Bot Token	8604278531:AAE_AAlOXE-5wWs…	Attacker Telegram C2 bot token
Telegram Chat ID	8346336575	Attacker Telegram chat ID
Telegram Chat ID	-1003931822407	Attacker Telegram chat ID

Network and Wallet IOCs

Type	Indicator	Description
Solana Wallet	D4hGgKKaBFZV1NUTWvYRwbpu8HHr3qmDfHyKCTLqbaE7	Attacker’s Solana drain wallet
IP / URL	hxxp[:]//104[.]239[.]66[.]223:8899	Malicious Solana RPC endpoint
URL	hxxp[:]//77[.]90[.]185[.]225/v026a4a141fd9e7d2dd.js	Remote Deno loader (first stage)
URL	hxxp[:]//77[.]90[.]185[.]225/v26a4a141fd9e7d2dd.js	Remote Deno second-stage loader
URL	hxxp[:]//77[.]90[.]185[.]225/health	Remote Deno health endpoint
URL	hxxp[:]//77[.]90[.]185[.]225/message	Remote Deno registration endpoint
URL	hxxp[:]//77[.]90[.]185[.]225/v2{id}.js	Remote Deno dynamic payload pattern
URL	hxxp[:]//77[.]90[.]185[.]225/v0277dff354c59f92d3.js	Remote Deno loader variant
URL	hxxp[:]//77[.]90[.]185[.]225/ae83b0125aa433a7.js	Remote Deno loader variant
URL	hxxp[:]//77[.]90[.]185[.]225/de2079d13aa5d620.js	Remote Deno loader variant
URL	hxxp[:]//77[.]90[.]185[.]225/6bc8fb9ad965fbb0.js	Remote Deno loader variant
URL	hxxps[:]//raw[.]githubusercontent[.]com/PassWord1337/updates/main/install.js	Self-update URL (no longer available)
URL	hxxps[:]//meet-fr[.]com/ChromeSetup.exe	EXE download URL
URL	hxxps[:]//whiteshopify[.]replit[.]app/api/aCpsuydgwbasd.exe	EXE download URL (no longer available)
GitHub Actor	PassWord1337	Threat actor GitHub username used for issue spam and hosting

Targeted File Paths and Persistence Indicators

Type	Indicator	Description
File Path	~/.config/solana/id.json	Solana keypair target (Linux/macOS)
File Path	~/.solana/id.json	Solana keypair target (Linux/macOS)
File Path	%APPDATA%Solanaid.json	Solana keypair target (Windows)
File Path	~/.ssh/id_rsa	SSH private key target
File Path	~/.ssh/id_ed25519	SSH private key target
File Path	~/.aws/credentials	AWS credentials target
File Path	.env / .env.local / .env.production	Environment secrets target
File Path	keypair.json / wallet.json / secrets.json	Wallet file targets
Persistence	HKCUSoftwareMicrosoftWindowsCurrentVersionRun	Windows Registry Run key persistence
Persistence	Windows Scheduled Task	Scheduled task persistence mechanism
Persistence	macOS LaunchAgent	macOS persistence mechanism
Persistence	Unix crontab @reboot	Unix crontab persistence entry
Persistence	conhost.exe –headless <deno> -A <hash>.js	Windows process masquerading for Deno persistence
Mutex	127.0.0.1:10092	Local mutex listener on Windows startup

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.