Solana FakeFix Campaign Uses 25 Malicious npm and PyPI Packages to Steal Developer Secrets
JFrog uncovered the Solana FakeFix campaign, deploying 25 malicious npm and PyPI packages targeting Solana developers to steal wallet keys, cloud credentials, and SSH keys.
A newly discovered supply chain campaign is putting Solana developers at serious risk, with attackers hiding malicious code inside fake developer packages on npm and PyPI. The operation, tracked as "Solana FakeFix," deployed 25 malicious packages designed to steal wallet keys, cloud credentials, SSH keys, and developer secrets the moment a package is installed or imported.
The campaign stands out for how convincing its lures are. Instead of using random package names, the threat actor crafted names closely resembling real Solana tooling, such as solana-web3-stable, solana-rpc-client, and @solana-labs/web3.js. Developers dealing with build issues or dependency conflicts were the prime targets, making the attack feel like a helpful fix rather than a threat.
Analysts at JFrog Security Research identified the campaign and published a detailed report shared with Cyber Security News. JFrog's findings split the operation into two distinct clusters: the Solana FakeFix group of 20 packages targeting Solana developers, and a CMS-themed cluster of 5 packages that loaded hidden Windows executables on infected machines.
The campaign also shows a clear evolution in technique. Early versions used simple install-time scripts, while later versions shipped fully functional Solana bundles with stealer code injected after legitimate exports, making detection much harder. The threat actor promoted packages through GitHub issue spam, opening nine issues across different projects and framing the malicious package as a community fix for the real Solana SDK.
The packages used two delivery paths depending on the platform. On npm, a postinstall lifecycle hook fired a JavaScript payload the moment a developer ran an install command, requiring no further action. On PyPI, malicious code lived inside the __init__.py file and ran as soon as the package was imported in any script, notebook, or test. Once triggered, the payload searched for Solana keypair files, SSH private keys, AWS credential files, .env files, and environment variables containing names like KEY, SECRET, MNEMONIC, or PASSWORD. All stolen data was sent to an attacker-controlled Telegram bot in real time.
More advanced packages also installed persistent backdoors that polled Telegram for remote commands. The attacker could grab SSH keys, pull environment variables, or run arbitrary shell commands on the victim machine. One variant tried to drain the victim's Solana funds and redirect local RPC settings, turning a one-time stealer into a persistent remote access threat. The actor also ran a fake MEV bot package called solana-mev-bot, using social engineering to ask users to paste their Solana private key directly.
The second cluster targeted Windows developers through a completely different payload family. Packages like cms-storehub, cms-helpgit, and cms-github used npm install-time PowerShell scripts to install the Deno runtime and fetch remote JavaScript from an attacker-controlled server. The loader established persistence through Windows Registry Run keys and pulled a dynamic second-stage payload on a 30-second loop. Two other packages, to-cms and shopifyto-cms, acted as download-and-execute droppers.
JFrog recommends that developers immediately remove all affected packages, rotate Solana wallets and any secrets potentially exposed, and audit machines for persistence artifacts including Registry Run keys, scheduled tasks, and crontab entries. Rebuilding CI runners from clean images is strongly advised over relying on package removal alone.