Solana FakeFix: JFrog flags 25 npm + PyPI packages stealing Solana keypairs and dev secrets to Telegram
JFrog Security Research disclosed Solana FakeFix, a 25-package npm/PyPI campaign with two clusters: ~20 Solana typosquats / "stable-build" forks (solana-web3-stable, solana-rpc-client, …) promoted via GitHub issue spam by the PassWord1337 account, and a 5-package CMS-themed Windows loader cluster (cms-storehub, cms-helpgit, cms-github, to-cms, shopifyto-cms). All variants exfiltrate Solana keypairs, SSH keys, cloud creds, and .env secrets to a Telegram bot.
- Detected by
- JFrog
- Also known as
- Solana FakeFix · FakeFix campaign · PassWord1337 Solana spam
- Ecosystems
- npm
- Packages tracked
- 7
What happened
On 2026-06-12 JFrog Security Research published Solana FakeFix, a 25-package supply-chain operation spanning npm and PyPI that fused two distinct attack patterns under one operator. The campaign was identified through correlated indicators (shared Telegram bot tokens, near-identical postinstall and __init__.py stagers, and a single GitHub social-engineering handle) across releases that initially looked like separate, unrelated typosquat blips.
Cluster 1 — Solana FakeFix (20 packages)
The larger cluster — 16 npm packages and 4 PyPI packages — impersonated legitimate Solana tooling. Names like solana-web3-stable@1.0.0, solana-rpc-client@1.0.0, and the unpublished @solana-labs/web3.js / @solana-labs/spl-toke variants positioned themselves as "stable" forks of @solana/web3.js and @solana/spl-token. The threat actor under the GitHub handle PassWord1337 filed issues on real open-source projects falsely claiming the malicious package was a drop-in fix for common build errors — encouraging victims to run npm uninstall @solana/web3.js && npm install solana-web3-stable themselves.
Early variants relied on a simple postinstall hook firing during npm install; later releases shipped a fully functional Solana bundle with the stealer code injected after the legitimate exports — detection rates drop sharply when the package "just works". On PyPI the malicious code lived in __init__.py, executing on any import. Payload behaviour was consistent across both ecosystems: enumerate Solana keypair files, SSH private keys, AWS credential files, .env files, and any env-var matching KEY|SECRET|MNEMONIC|TOKEN|AWS|GITHUB|CI; POST everything in real time to an attacker-controlled Telegram bot via hard-coded tokens and chat IDs.
solana-web3-stable@1.0.0 was published 2026-06-07 22:57 UTC and unpublished by npm 2026-06-08 16:39 UTC; solana-rpc-client@1.0.0 followed at 2026-06-07 23:01 UTC and was unpublished 2026-06-08 16:39 UTC. The exact full wheel-set list for the remaining ~16 Solana-cluster artefacts is being enumerated through PyPI / npm security; this entry tracks the names whose status we have independently confirmed against the registry.
Cluster 2 — CMS Windows loader (5 packages)
The smaller cluster used CMS / e-commerce-integration package names — cms-storehub, cms-helpgit, cms-github, to-cms, and shopifyto-cms — to deliver a Windows-targeted loader. The npm install-time script is a PowerShell stub that installs the Deno runtime under %LOCALAPPDATA% and uses it to fetch and execute remote JavaScript from attacker infrastructure. Deno bypasses standard node_modules script auditing and lives outside the Node ecosystem most defenders watch.
Version / publish timing in the CMS cluster (all replaced by npm 0.0.1-security holders on 2026-06-01 09:08 UTC):
cms-storehub— versions1.2.7through1.3.6, published 2026-05-30cms-helpgit— versions4.2.2,4.2.4–4.2.9, published 2026-05-29cms-github— version4.2.4, published 2026-05-29to-cms— versions1.0.0,1.0.1, published 2026-05-15shopifyto-cms— version3.0.2, published 2026-05-17
to-cms and shopifyto-cms are simpler download-and-execute droppers — they shell out to fetch and run a payload immediately, no Deno runtime staging. The CMS cluster combined averaged ~80,000 weekly downloads before takedown.
Common thread
JFrog tied the two clusters together via three shared indicators: identical Telegram bot endpoints across both stagers, the same data-collection sweep (Solana keypairs + SSH + AWS + .env + KEY|SECRET|MNEMONIC env scans), and overlapping infrastructure for the remote JS payloads. The social-engineering layer (PassWord1337 GitHub issue spam) is unique to the Solana cluster; the CMS cluster relied purely on opportunistic install through plausible-looking integration package names.
This campaign is distinct from the March 2026 galedonovan Solana / Ethereum typosquats (which intercepted private keys passed through legitimate API calls and also exfiltrated to Telegram) and from the parallel Mini Shai-Hulud / Hades worm waves — FakeFix is wallet-/credential-theft-only, with no self-propagation and no worm component.
Affected packages (7)
- npm
cms-github4.2.4 - npm
cms-helpgit4.2.24.2.44.2.54.2.64.2.74.2.84.2.9 - npm
cms-storehub1.2.71.2.81.2.91.3.01.3.11.3.21.3.31.3.41.3.51.3.6 - npm
shopifyto-cms3.0.2 - npm
solana-rpc-client1.0.0 - npm
solana-web3-stable1.0.0 - npm
to-cms1.0.01.0.1
Impact
postinstallnpm lifecycle hook fires the JS payload the momentnpm installruns — noimportor runtime invocation required, and the Solana-cluster later versions ship a fully functional Solana bundle so consumers see no behavioural breakage- PyPI variants stash the payload inside
__init__.py, so the stealer runs the moment any script, notebook, or test imports the package - Payload sweeps the filesystem for Solana keypair files (
id.json, Phantom / Solflare wallet exports), SSH private keys, AWS credential files,.envfiles, and any process-env vars whose names containKEY,SECRET,MNEMONIC,TOKEN,AWS,GITHUB, orCI - Exfiltration is real-time over Telegram: hard-coded bot tokens + chat IDs POST stolen artefacts directly; later builds add a polling backdoor for interactive commands and a self-update channel
- CMS-cluster packages (
cms-storehub,cms-helpgit,cms-github) use a Windows-specific PowerShell preinstall that installs the Deno runtime, then pulls remote JavaScript from attacker infrastructure — workstations only, but persistence survives reboot to-cmsandshopifyto-cmswere straight download-and-execute droppers staged through legitimate-looking Shopify/CMS-integration package names- Social-engineering vector:
PassWord1337filed GitHub issues on real OSS projects ("error fixed by runningnpm install solana-web3-stable") — developers chasing a build break were the primary recruitment funnel - Estimated combined exposure: ~80,000 weekly downloads across the CMS cluster before npm replaced them with security-holders on 2026-06-01
What to do
- 1Grep lockfiles,
node_modules, and pip caches for the affected names —solana-web3-stable,solana-rpc-client,cms-storehub,cms-helpgit,cms-github,to-cms,shopifyto-cms— and uninstall any that resolve - 2On any developer workstation or CI runner that installed a Solana-cluster package: assume Solana keypairs, SSH keys, AWS/GCP/Azure credentials, GitHub PATs, npm publish tokens, and
.env-resident secrets are compromised; rotate from a known-clean host and sweep wallets for drains - 3On any Windows workstation that installed the CMS-cluster (
cms-storehub,cms-helpgit,cms-github): hunt for an unexpected Deno install under%LOCALAPPDATA%\Programs\deno, audit scheduled tasks / Run-keys for persistence, and consider re-imaging — the loader stages an arbitrary remote payload - 4Block outbound to
api.telegram.orgfrom CI runners and developer workstations that have no legitimate Telegram integration (the campaign's exclusive C2 channel) - 5Reject any GitHub issue or comment that suggests replacing a legitimate package with a
-stable/-fix/-rpc-clientvariant; thePassWord1337social-engineering pattern is the campaign's recruitment funnel - 6Audit Solana wallets used on suspected hosts for unauthorised transfers in the 2026-06-07 → 2026-06-08 window
References
- JFrogSolana FakeFix: JFrog research post (canonical)research.jfrog.com
- GBHackersSolana FakeFix Campaign Plants Malicious npm, PyPI Packages to Steal Dev Secretsgbhackers.com
- SecurityAffairsMalicious npm and PyPI target Solana private keyssecurityaffairs.com
- Cyber Security NewsSolana FakeFix Campaign Uses 25 Malicious npm and PyPI Packages to Steal Developer Secretscybersecuritynews.com
- Cyber PressSolana FakeFix Campaign Uses 25 Malicious npm and PyPI Packages to Steal Developer Secretscyberpress.org
- npmsolana-web3-stable on npm (1.0.0 published 2026-06-07, unpublished 2026-06-08)npmjs.com
- npmsolana-rpc-client on npm (1.0.0 published 2026-06-07, unpublished 2026-06-08)npmjs.com
- npmcms-storehub on npm (1.2.7–1.3.6 replaced with security holder 2026-06-01)npmjs.com
- npmcms-helpgit on npm (4.2.x replaced with security holder 2026-06-01)npmjs.com
- npmcms-github on npm (4.2.4 replaced with security holder 2026-06-01)npmjs.com
- npmto-cms on npm (1.0.0/1.0.1 replaced with security holder 2026-06-01)npmjs.com
- npmshopifyto-cms on npm (3.0.2 replaced with security holder 2026-06-01)npmjs.com