CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 12, 2026

Solana FakeFix Campaign Uses 25 Malicious npm and PyPI Packages to Steal Developer Secrets

Cybersecurity News Archived Jun 12, 2026 ✓ Full text saved

A newly discovered supply chain campaign is putting Solana developers at serious risk, with attackers hiding malicious code inside fake developer packages on npm and PyPI. The operation, tracked as “Solana FakeFix,” deployed 25 malicious packages designed to steal wallet keys, cloud credentials, SSH keys, and developer secrets the moment a package is installed or […] The post Solana FakeFix Campaign Uses 25 Malicious npm and PyPI Packages to Steal Developer Secrets appeared first on Cyber Securi

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Solana FakeFix Campaign Uses 25 Malicious npm and PyPI Packages to Steal Developer Secrets By Tushar Subhra Dutta June 12, 2026 A newly discovered supply chain campaign is putting Solana developers at serious risk, with attackers hiding malicious code inside fake developer packages on npm and PyPI. The operation, tracked as “Solana FakeFix,” deployed 25 malicious packages designed to steal wallet keys, cloud credentials, SSH keys, and developer secrets the moment a package is installed or imported. The campaign stands out for how convincing its lures are. Instead of using random package names, the threat actor crafted names closely resembling real Solana tooling, such as solana-web3-stable, solana-rpc-client, and @solana-labs/web3.js. Developers dealing with build issues or dependency conflicts were the prime targets, making the attack feel like a helpful fix rather than a threat. Analysts at JFrog Security Research identified the campaign and published a detailed report shared with Cyber Security News (CSN). JFrog’s findings split the operation into two distinct clusters: the Solana FakeFix group of 20 packages targeting Solana developers, and a CMS-themed cluster of 5 packages that loaded hidden Windows executables on infected machines. The campaign also shows a clear evolution in technique. Early versions used simple install-time scripts, while later versions shipped fully functional Solana bundles with stealer code injected after legitimate exports, making detection much harder. The threat actor promoted packages through GitHub issue spam, opening nine issues across different projects and framing the malicious package as a community fix for the real Solana SDK. The total scope includes 16 malicious npm packages and 4 PyPI packages under the FakeFix banner, plus 5 additional npm packages in the CMS loader group. Solana FakeFix Campaign Overview (Source – JFrog) Each package was carefully built to appear functional during testing while quietly executing a stealer payload in the background. Solana FakeFix Campaign Uses 25 Malicious npm and PyPI Packages The packages used two delivery paths depending on the platform. On npm, a postinstall lifecycle hook fired a JavaScript payload the moment a developer ran an install command, requiring no further action. On PyPI, malicious code lived inside the __init__.py file and ran as soon as the package was imported in any script, notebook, or test. Once triggered, the payload searched for Solana keypair files, SSH private keys, AWS credential files, .env files, and environment variables containing names like KEY, SECRET, MNEMONIC, or PASSWORD. All stolen data was sent to an attacker-controlled Telegram bot in real time. CMS Windows Loader Campaign Overview (Source – JFrog) More advanced packages also installed persistent backdoors that polled Telegram for remote commands. The attacker could grab SSH keys, pull environment variables, or run arbitrary shell commands on the victim machine. One variant tried to drain the victim’s Solana funds and redirect local RPC settings, turning a one-time stealer into a persistent remote access threat. The actor also ran a fake MEV bot package called solana-mev-bot, using social engineering to ask users to paste their Solana private key directly. It presented itself as an automated profit tool, phishing the one credential needed to empty a wallet entirely. CMS Windows Loader: A Second Hidden Cluster The second cluster targeted Windows developers through a completely different payload family. Packages like cms-storehub, cms-helpgit, and cms-github used npm install-time PowerShell scripts to install the Deno runtime and fetch remote JavaScript from an attacker-controlled server. The loader established persistence through Windows Registry Run keys and pulled a dynamic second-stage payload on a 30-second loop. Two other packages, to-cms and shopifyto-cms, acted as download-and-execute droppers. They fetched a Windows executable, launched it from the temp directory, and attempted to erase the evidence afterward. The attacker’s server also received registration telemetry, giving the operator a live record of compromised systems. JFrog recommends that developers immediately remove all affected packages, rotate Solana wallets and any secrets potentially exposed, and audit machines for persistence artifacts including Registry Run keys, scheduled tasks, and crontab entries. Rebuilding CI runners from clean images is strongly advised over relying on package removal alone. Any package that triggers network access at install time or runs hidden PowerShell scripts should be treated as a serious red flag. Indicators of Compromise (IoCs):- Affected Packages Type Indicator Description npm Package @solana-labs/ancor Malicious Solana SDK impersonator (XRAY-997667) npm Package @solana-labs/etherjs Malicious Solana SDK impersonator (XRAY-997672) npm Package @solana-labs/spl-toke Malicious Solana SDK impersonator (XRAY-997661) npm Package @solana-labs/web3-js Malicious Solana SDK impersonator (XRAY-997666) npm Package @solana-labs/web3.js Malicious Solana SDK impersonator (XRAY-997659) npm Package @solana-labs/web3js Malicious Solana SDK impersonator (XRAY-997665) npm Package cms-github CMS Windows loader (XRAY-993898) npm Package cms-helpgit CMS Windows loader (XRAY-993899) npm Package cms-storehub CMS Windows loader (XRAY-993703) npm Package shopifyto-cms CMS dropper (XRAY-993885) npm Package solana-js-client Malicious Solana package (XRAY-997805) npm Package solana-mev-bot Fake MEV bot / private key phisher (XRAY-998837) npm Package solana-rpc-client Malicious Solana SDK impersonator (XRAY-997811) npm Package solana-web3-community Malicious Solana package (XRAY-997807) npm Package solana-web3-fixed Malicious Solana package (XRAY-997809) npm Package solana-web3-fork Malicious Solana package (XRAY-997799) npm Package solana-web3-lts Malicious Solana package (XRAY-997810) npm Package solana-web3-patched Malicious Solana package (XRAY-997800) npm Package solana-web3-stable Malicious Solana package (XRAY-997812) npm Package solana-web3-v1 Malicious Solana package (XRAY-997808) npm Package to-cms CMS dropper (XRAY-989687) PyPI Package solana-cli-py Malicious PyPI Solana package (XRAY-998590) PyPI Package solana-web3 Malicious PyPI Solana package (XRAY-998591) PyPI Package solana-web3-py Malicious PyPI Solana package (XRAY-998594) PyPI Package spl-token-py Malicious PyPI Solana package (XRAY-998595) Telegram C2 IOCs Type Indicator Description Telegram Bot Token 8870595195:AAHcwv2ZMYZU9ia_xj… Attacker Telegram C2 bot token Telegram Bot Token 8628389567:AAHeoLi034Vg6JI… Attacker Telegram C2 bot token Telegram Bot Token 8604278531:AAE_AAlOXE-5wWs… Attacker Telegram C2 bot token Telegram Chat ID 8346336575 Attacker Telegram chat ID Telegram Chat ID -1003931822407 Attacker Telegram chat ID Network and Wallet IOCs Type Indicator Description Solana Wallet D4hGgKKaBFZV1NUTWvYRwbpu8HHr3qmDfHyKCTLqbaE7 Attacker’s Solana drain wallet IP / URL hxxp[:]//104[.]239[.]66[.]223:8899 Malicious Solana RPC endpoint URL hxxp[:]//77[.]90[.]185[.]225/v026a4a141fd9e7d2dd.js Remote Deno loader (first stage) URL hxxp[:]//77[.]90[.]185[.]225/v26a4a141fd9e7d2dd.js Remote Deno second-stage loader URL hxxp[:]//77[.]90[.]185[.]225/health Remote Deno health endpoint URL hxxp[:]//77[.]90[.]185[.]225/message Remote Deno registration endpoint URL hxxp[:]//77[.]90[.]185[.]225/v2{id}.js Remote Deno dynamic payload pattern URL hxxp[:]//77[.]90[.]185[.]225/v0277dff354c59f92d3.js Remote Deno loader variant URL hxxp[:]//77[.]90[.]185[.]225/ae83b0125aa433a7.js Remote Deno loader variant URL hxxp[:]//77[.]90[.]185[.]225/de2079d13aa5d620.js Remote Deno loader variant URL hxxp[:]//77[.]90[.]185[.]225/6bc8fb9ad965fbb0.js Remote Deno loader variant URL hxxps[:]//raw[.]githubusercontent[.]com/PassWord1337/updates/main/install.js Self-update URL (no longer available) URL hxxps[:]//meet-fr[.]com/ChromeSetup.exe EXE download URL URL hxxps[:]//whiteshopify[.]replit[.]app/api/aCpsuydgwbasd.exe EXE download URL (no longer available) GitHub Actor PassWord1337 Threat actor GitHub username used for issue spam and hosting Targeted File Paths and Persistence Indicators Type Indicator Description File Path ~/.config/solana/id.json Solana keypair target (Linux/macOS) File Path ~/.solana/id.json Solana keypair target (Linux/macOS) File Path %APPDATA%\Solana\id.json Solana keypair target (Windows) File Path ~/.ssh/id_rsa SSH private key target File Path ~/.ssh/id_ed25519 SSH private key target File Path ~/.aws/credentials AWS credentials target File Path .env / .env.local / .env.production Environment secrets target File Path keypair.json / wallet.json / secrets.json Wallet file targets Persistence HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Registry Run key persistence Persistence Windows Scheduled Task Scheduled task persistence mechanism Persistence macOS LaunchAgent macOS persistence mechanism Persistence Unix crontab @reboot Unix crontab persistence entry Persistence conhost.exe –headless <deno> -A <hash>.js Windows process masquerading for Deno persistence Mutex 127.0.0.1:10092 Local mutex listener on Windows startup Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News OWASP CVE Lite CLI – New Tool to Scan for Vulnerabilities in Your Projects Oracle Emergency Security Update to Fix Critical RCE Vulnerability Microsoft Warns Claude Code GitHub Action Could Leak CI/CD Workflow Secrets Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User Microsoft Exchange Server 0-Day Vulnerability Exploited in Attacks Using Weaponized Email Latest News Cyber Security News Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User Cyber Security News Google Patches 28 Chrome Vulnerabilities that Allow Attackers to Execute Malicious Code Cyber Security Microsoft Teams for Android Vulnerability Allows Attackers to Disclose Sensitive Data Cyber Attack News Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters Cyber Security CISA Requires Federal Agencies to Patch Critical Vulnerabilities Within 3 Days
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 12, 2026
    Archived
    Jun 12, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗