A newly discovered supply chain campaign is putting Solana developers at serious risk, with attackers hiding malicious code inside fake developer packages on npm and PyPI.
The operation, tracked as “Solana FakeFix,” deployed 25 malicious packages designed to steal wallet keys, cloud credentials, SSH keys, and developer secrets the moment a package is installed or imported.
The campaign stands out for how convincing its lures are. Instead of using random package names, the threat actor crafted names closely resembling real Solana tooling, such as solana-web3-stable, solana-rpc-client, and @solana-labs/web3.js.
Developers dealing with build issues or dependency conflicts were the prime targets, making the attack feel like a helpful fix rather than a threat.
Analysts at JFrog Security Research identified the campaign and published a detailed report shared with Cyber Security News (CSN).
JFrog’s findings split the operation into two distinct clusters: the Solana FakeFix group of 20 packages targeting Solana developers, and a CMS-themed cluster of 5 packages that loaded hidden Windows executables on infected machines.
The campaign also shows a clear evolution in technique. Early versions used simple install-time scripts, while later versions shipped fully functional Solana bundles with stealer code injected after legitimate exports, making detection much harder.
The threat actor promoted packages through GitHub issue spam, opening nine issues across different projects and framing the malicious package as a community fix for the real Solana SDK.
The total scope includes 16 malicious npm packages and 4 PyPI packages under the FakeFix banner, plus 5 additional npm packages in the CMS loader group.
Each package was carefully built to appear functional during testing while quietly executing a stealer payload in the background.
Solana FakeFix Campaign Uses 25 Malicious npm and PyPI Packages
The packages used two delivery paths depending on the platform. On npm, a postinstall lifecycle hook fired a JavaScript payload the moment a developer ran an install command, requiring no further action.
On PyPI, malicious code lived inside the __init__.py file and ran as soon as the package was imported in any script, notebook, or test.
Once triggered, the payload searched for Solana keypair files, SSH private keys, AWS credential files, .env files, and environment variables containing names like KEY, SECRET, MNEMONIC, or PASSWORD. All stolen data was sent to an attacker-controlled Telegram bot in real time.
More advanced packages also installed persistent backdoors that polled Telegram for remote commands. The attacker could grab SSH keys, pull environment variables, or run arbitrary shell commands on the victim machine.
One variant tried to drain the victim’s Solana funds and redirect local RPC settings, turning a one-time stealer into a persistent remote access threat.
The actor also ran a fake MEV bot package called solana-mev-bot, using social engineering to ask users to paste their Solana private key directly. It presented itself as an automated profit tool, phishing the one credential needed to empty a wallet entirely.
CMS Windows Loader: A Second Hidden Cluster
The second cluster targeted Windows developers through a completely different payload family. Packages like cms-storehub, cms-helpgit, and cms-github used npm install-time PowerShell scripts to install the Deno runtime and fetch remote JavaScript from an attacker-controlled server.
The loader established persistence through Windows Registry Run keys and pulled a dynamic second-stage payload on a 30-second loop.
Two other packages, to-cms and shopifyto-cms, acted as download-and-execute droppers.
They fetched a Windows executable, launched it from the temp directory, and attempted to erase the evidence afterward. The attacker’s server also received registration telemetry, giving the operator a live record of compromised systems.
JFrog recommends that developers immediately remove all affected packages, rotate Solana wallets and any secrets potentially exposed, and audit machines for persistence artifacts including Registry Run keys, scheduled tasks, and crontab entries.
Rebuilding CI runners from clean images is strongly advised over relying on package removal alone. Any package that triggers network access at install time or runs hidden PowerShell scripts should be treated as a serious red flag.
Indicators of Compromise (IoCs):-
Affected Packages
| Type | Indicator | Description |
|---|---|---|
| npm Package | @solana-labs/ancor | Malicious Solana SDK impersonator (XRAY-997667) |
| npm Package | @solana-labs/etherjs | Malicious Solana SDK impersonator (XRAY-997672) |
| npm Package | @solana-labs/spl-toke | Malicious Solana SDK impersonator (XRAY-997661) |
| npm Package | @solana-labs/web3-js | Malicious Solana SDK impersonator (XRAY-997666) |
| npm Package | @solana-labs/web3.js | Malicious Solana SDK impersonator (XRAY-997659) |
| npm Package | @solana-labs/web3js | Malicious Solana SDK impersonator (XRAY-997665) |
| npm Package | cms-github | CMS Windows loader (XRAY-993898) |
| npm Package | cms-helpgit | CMS Windows loader (XRAY-993899) |
| npm Package | cms-storehub | CMS Windows loader (XRAY-993703) |
| npm Package | shopifyto-cms | CMS dropper (XRAY-993885) |
| npm Package | solana-js-client | Malicious Solana package (XRAY-997805) |
| npm Package | solana-mev-bot | Fake MEV bot / private key phisher (XRAY-998837) |
| npm Package | solana-rpc-client | Malicious Solana SDK impersonator (XRAY-997811) |
| npm Package | solana-web3-community | Malicious Solana package (XRAY-997807) |
| npm Package | solana-web3-fixed | Malicious Solana package (XRAY-997809) |
| npm Package | solana-web3-fork | Malicious Solana package (XRAY-997799) |
| npm Package | solana-web3-lts | Malicious Solana package (XRAY-997810) |
| npm Package | solana-web3-patched | Malicious Solana package (XRAY-997800) |
| npm Package | solana-web3-stable | Malicious Solana package (XRAY-997812) |
| npm Package | solana-web3-v1 | Malicious Solana package (XRAY-997808) |
| npm Package | to-cms | CMS dropper (XRAY-989687) |
| PyPI Package | solana-cli-py | Malicious PyPI Solana package (XRAY-998590) |
| PyPI Package | solana-web3 | Malicious PyPI Solana package (XRAY-998591) |
| PyPI Package | solana-web3-py | Malicious PyPI Solana package (XRAY-998594) |
| PyPI Package | spl-token-py | Malicious PyPI Solana package (XRAY-998595) |
Telegram C2 IOCs
| Type | Indicator | Description |
|---|---|---|
| Telegram Bot Token | 8870595195:AAHcwv2ZMYZU9ia_xj… | Attacker Telegram C2 bot token |
| Telegram Bot Token | 8628389567:AAHeoLi034Vg6JI… | Attacker Telegram C2 bot token |
| Telegram Bot Token | 8604278531:AAE_AAlOXE-5wWs… | Attacker Telegram C2 bot token |
| Telegram Chat ID | 8346336575 | Attacker Telegram chat ID |
| Telegram Chat ID | -1003931822407 | Attacker Telegram chat ID |
Network and Wallet IOCs
| Type | Indicator | Description |
|---|---|---|
| Solana Wallet | D4hGgKKaBFZV1NUTWvYRwbpu8HHr3qmDfHyKCTLqbaE7 | Attacker’s Solana drain wallet |
| IP / URL | hxxp[:]//104[.]239[.]66[.]223:8899 | Malicious Solana RPC endpoint |
| URL | hxxp[:]//77[.]90[.]185[.]225/v026a4a141fd9e7d2dd.js | Remote Deno loader (first stage) |
| URL | hxxp[:]//77[.]90[.]185[.]225/v26a4a141fd9e7d2dd.js | Remote Deno second-stage loader |
| URL | hxxp[:]//77[.]90[.]185[.]225/health | Remote Deno health endpoint |
| URL | hxxp[:]//77[.]90[.]185[.]225/message | Remote Deno registration endpoint |
| URL | hxxp[:]//77[.]90[.]185[.]225/v2{id}.js | Remote Deno dynamic payload pattern |
| URL | hxxp[:]//77[.]90[.]185[.]225/v0277dff354c59f92d3.js | Remote Deno loader variant |
| URL | hxxp[:]//77[.]90[.]185[.]225/ae83b0125aa433a7.js | Remote Deno loader variant |
| URL | hxxp[:]//77[.]90[.]185[.]225/de2079d13aa5d620.js | Remote Deno loader variant |
| URL | hxxp[:]//77[.]90[.]185[.]225/6bc8fb9ad965fbb0.js | Remote Deno loader variant |
| URL | hxxps[:]//raw[.]githubusercontent[.]com/PassWord1337/updates/main/install.js | Self-update URL (no longer available) |
| URL | hxxps[:]//meet-fr[.]com/ChromeSetup.exe | EXE download URL |
| URL | hxxps[:]//whiteshopify[.]replit[.]app/api/aCpsuydgwbasd.exe | EXE download URL (no longer available) |
| GitHub Actor | PassWord1337 | Threat actor GitHub username used for issue spam and hosting |
Targeted File Paths and Persistence Indicators
| Type | Indicator | Description |
|---|---|---|
| File Path | ~/.config/solana/id.json | Solana keypair target (Linux/macOS) |
| File Path | ~/.solana/id.json | Solana keypair target (Linux/macOS) |
| File Path | %APPDATA%\Solana\id.json | Solana keypair target (Windows) |
| File Path | ~/.ssh/id_rsa | SSH private key target |
| File Path | ~/.ssh/id_ed25519 | SSH private key target |
| File Path | ~/.aws/credentials | AWS credentials target |
| File Path | .env / .env.local / .env.production | Environment secrets target |
| File Path | keypair.json / wallet.json / secrets.json | Wallet file targets |
| Persistence | HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Windows Registry Run key persistence |
| Persistence | Windows Scheduled Task | Scheduled task persistence mechanism |
| Persistence | macOS LaunchAgent | macOS persistence mechanism |
| Persistence | Unix crontab @reboot | Unix crontab persistence entry |
| Persistence | conhost.exe –headless <deno> -A <hash>.js | Windows process masquerading for Deno persistence |
| Mutex | 127.0.0.1:10092 | Local mutex listener on Windows startup |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
