• Home
  • cyber
  • PyPI and npm: Solana FakeFix Campaign Plants Malicious npm, PyPI Packages to Steal Dev Secrets
cyber Cyber Attack

PyPI and npm: Solana FakeFix Campaign Plants Malicious npm, PyPI Packages to Steal Dev Secrets

Jun 1, 2026 3 min read
PyPI and npm: Solana FakeFix Campaign Plants Malicious npm, PyPI Packages to Steal Dev Secrets

Solana FakeFix Campaign: Supply-Chain Attack Targets Developers via Malicious npm and PyPI Packages

A recently uncovered supply-chain attack, dubbed "Solana FakeFix," has exposed a coordinated effort to steal developer secrets through malicious packages on npm and PyPI. The campaign, identified by JFrog Security Research, involved 20 trojanized packages 16 on npm and 4 on PyPI that impersonated legitimate Solana tooling to harvest sensitive credentials.

How the Attack Worked

The threat actors employed typosquatting and social engineering to trick developers into installing malicious packages. Some packages mimicked well-known Solana libraries, such as:

  • @solana-labs/web3.js (a fake "community fork")
  • solana-web3-stable (posing as a "stable-build" fix)
  • solana-mev-bot (a fake MEV bot prompting users to input private keys)

The attacker, operating under the GitHub account PassWord1337, even spammed GitHub issues to promote a drop-in replacement for @solana/web3.js, urging users to switch via npm commands.

Exploitation Techniques

  • npm Packages: Used postinstall scripts to execute malicious JavaScript during installation.
  • PyPI Packages: Embedded payloads in __init__.py files, triggering data theft upon import.
  • Targeted Secrets: Stolen data included Solana wallet keys, AWS credentials, SSH keys, .env files, and GitHub tokens, identified by keywords like KEY, SECRET, MNEMONIC, and AWS.
  • Exfiltration: Data was sent to Telegram C2 channels using hardcoded bot tokens. Later variants added interactive backdoor commands (/keys, /ssh, /env, /sh) and self-update mechanisms.

Evolving Threats

Early versions were crude backdoors, but later packages bundled legitimate Solana code with hidden malicious payloads, making them harder to detect. One variant even tampered with Solana RPC endpoints to drain funds to attacker-controlled wallets.

Related Windows Loader Campaign

JFrog also uncovered a separate but linked campaign involving five npm packages uploaded by the account thermonuclear. These packages:

  • Executed PowerShell scripts during installation.
  • Dropped Deno-based loaders or Windows EXE payloads.
  • Established Registry Run-key persistence and dynamic C2 communication for payload rotation.

Impact & Response

The attack highlights the risks of unverified dependencies in development pipelines. Organizations are advised to:

  • Remove affected packages from workstations, CI systems, and caches.
  • Rotate exposed Solana wallets, SSH keys, and cloud credentials.
  • Rebuild compromised CI runners from trusted images.
  • Enforce stricter registry hygiene, including scrutiny of install-time scripts and near-miss package names.

The campaign underscores the growing sophistication of supply-chain attacks targeting developers through trusted package registries.

Source: https://gbhackers.com/solana-fakefix-campaign/

PyPI cybersecurity rating report: https://www.rankiteo.com/company/pypi

npm, Inc. cybersecurity rating report: https://www.rankiteo.com/company/npm-inc-

"id": "PYPNPM1781245506",
"linkid": "pypi, npm-inc-",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Blockchain/Software Development',
                        'location': 'Global',
                        'name': 'Solana Developers',
                        'type': 'Developers/Organizations'}],
 'attack_vector': ['Typosquatting',
                   'Social Engineering',
                   'Malicious npm/PyPI Packages',
                   'Postinstall Scripts'],
 'data_breach': {'data_exfiltration': True,
                 'file_types_exposed': ['.env files',
                                        'SSH keys',
                                        'GitHub tokens'],
                 'personally_identifiable_information': ['Solana wallet keys',
                                                         'AWS credentials',
                                                         'SSH keys'],
                 'sensitivity_of_data': 'High (financial and authentication '
                                        'data)',
                 'type_of_data_compromised': ['Credentials',
                                              'Personally Identifiable '
                                              'Information (PII)',
                                              'Cloud Secrets',
                                              'Cryptocurrency Wallet Keys']},
 'description': "A supply-chain attack dubbed 'Solana FakeFix' involved 20 "
                'trojanized packages (16 on npm and 4 on PyPI) that '
                'impersonated legitimate Solana tooling to harvest sensitive '
                'credentials such as Solana wallet keys, AWS credentials, SSH '
                'keys, .env files, and GitHub tokens. The attack used '
                'typosquatting, social engineering, and malicious postinstall '
                'scripts to exfiltrate data to Telegram C2 channels. Later '
                'variants included interactive backdoors and self-update '
                'mechanisms.',
 'impact': {'brand_reputation_impact': 'Potential erosion of trust in Solana '
                                       'tooling and package registries',
            'data_compromised': ['Solana wallet keys',
                                 'AWS credentials',
                                 'SSH keys',
                                 '.env files',
                                 'GitHub tokens'],
            'identity_theft_risk': 'High (exposure of PII and credentials)',
            'operational_impact': 'Compromised development environments and CI '
                                  'runners',
            'payment_information_risk': 'High (Solana wallet keys compromised)',
            'systems_affected': ['Developer workstations', 'CI/CD pipelines']},
 'initial_access_broker': {'backdoors_established': ['Telegram C2 channels',
                                                     'Interactive backdoor '
                                                     'commands'],
                           'entry_point': ['Malicious npm/PyPI packages',
                                           'GitHub issue spam'],
                           'high_value_targets': ['Solana developers',
                                                  'CI/CD pipelines']},
 'lessons_learned': 'The incident highlights the risks of unverified '
                    'dependencies in development pipelines and the growing '
                    'sophistication of supply-chain attacks targeting '
                    'developers through trusted package registries.',
 'motivation': ['Credential Theft', 'Financial Gain', 'Data Exfiltration'],
 'post_incident_analysis': {'corrective_actions': ['Stricter registry hygiene',
                                                   'Credential rotation',
                                                   'Rebuilding compromised '
                                                   'systems'],
                            'root_causes': ['Typosquatting',
                                            'Social engineering',
                                            'Lack of package verification',
                                            'Malicious postinstall scripts']},
 'recommendations': ['Remove affected packages from workstations, CI systems, '
                     'and caches.',
                     'Rotate exposed Solana wallets, SSH keys, and cloud '
                     'credentials.',
                     'Rebuild compromised CI runners from trusted images.',
                     'Enforce stricter registry hygiene, including scrutiny of '
                     'install-time scripts and near-miss package names.'],
 'references': [{'source': 'JFrog Security Research'}],
 'response': {'containment_measures': ['Removal of affected packages from '
                                       'workstations and CI systems',
                                       'Rotation of exposed credentials'],
              'remediation_measures': ['Rebuilding compromised CI runners from '
                                       'trusted images',
                                       'Enforcing stricter registry hygiene'],
              'third_party_assistance': 'JFrog Security Research'},
 'threat_actor': 'PassWord1337 (GitHub account), thermonuclear (linked '
                 'campaign)',
 'title': 'Solana FakeFix Campaign: Supply-Chain Attack Targets Developers via '
          'Malicious npm and PyPI Packages',
 'type': 'Supply-Chain Attack',
 'vulnerability_exploited': 'Unverified dependencies in development pipelines'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.