Solana FakeFix: 25 Malicious npm and PyPI Packages Pose as Stable Builds

SOC Prime Team

Solana FakeFix: 25 Malicious npm and PyPI Packages Pose as Stable Builds

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

A malicious package campaign is targeting Solana developers through typosquatted npm and PyPI libraries promoted as stable-build fixes. The malware abuses package lifecycle execution and import-time hooks to steal wallet secrets, cloud credentials, and SSH keys from infected environments. Some samples also expand beyond theft by acting as full backdoors through Telegram-based command-and-control or by deploying Windows-focused loaders built around Deno.

Investigation

JFrog Security researchers uncovered two separate but related operations. The first, tracked as Solana FakeFix, used counterfeit SDK-style packages to collect sensitive secrets from developers and build systems. The second used CMS-themed npm packages to load Windows executables. Their analysis showed that the malicious code was often appended to otherwise functional-looking libraries, helping the packages appear legitimate while quietly retrieving second-stage payloads dynamically through Deno.

Mitigation

Organizations should remove all affected packages from developer workstations, CI/CD pipelines, and internal package caches. Any potentially exposed credentials should be rotated immediately, including Solana wallet keys, SSH keys, AWS credentials, and GitHub tokens. Security teams should also audit hosts for persistence methods such as Registry Run keys, scheduled tasks, and shell profile modifications.

Response

Defenders should uninstall the identified malicious packages and review dependency lock files for unauthorized or unexpected libraries. All exposed secrets should be rotated at once, and any cryptocurrency stored in potentially compromised wallets should be transferred to new trusted addresses. CI runners and developer systems should then be rebuilt from clean images to ensure no hidden backdoors or persistence mechanisms remain.

"graph TB %% Class Definitions Section classDef technique fill:#99ccff classDef persistence fill:#ff99cc classDef command_control fill:#cc99ff classDef exfiltration fill:#ffcc99 classDef credential_access fill:#ffff99 %% Initial Access and Execution Phase attack_supply_chain["Technique – T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Tools Description: Use of typosquatting and GitHub issue spam to lure developers into installing malicious npm and PyPI packages impersonating legitimate Solana SDKs. Targets: @solana-labs/web3.js and similar tools."] class attack_supply_chain technique attack_user_exec_copy["Technique – T1204.004 User Execution: Malicious Copy and Paste Description: Developers execute commands suggested by attackers via GitHub issues or package instructions."] class attack_user_exec_copy technique attack_user_exec_lib["Technique – T1204.005 User Execution: Malicious Library Description: Developers import malicious libraries into their projects."] class attack_user_exec_lib technique op_exec_trigger(("AND")) class op_exec_trigger technique attack_event_trigger["Technique – T1546.016 Event Triggered Execution: Installer Packages Description: Execution of attacker-controlled code via npm postinstall lifecycle scripts or PyPI __init__.py imports."] class attack_event_trigger technique attack_drive_by["Technique – T1189 Drive-by Compromise Description: Downloading secondary payloads such as Windows executables or Deno-based loaders."] class attack_drive_by technique %% Persistence Phase persist_active_setup["Technique – T1547.014 Boot or Logon Autostart Execution: Active Setup Description: Creation of Registry Run keys to launch malicious payloads."] class persist_active_setup persistence persist_windows_service["Technique – T1543.003 Create or Modify System Process: Windows Service Description: Establishing persistence by creating Windows Services."] class persist_windows_service persistence payload_deno["Malware – Deno-based CMS Campaign Description: Malicious JavaScript payload running in headless mode via conhost.exe."] class payload_deno technique %% Command and Control Phase c2_web_service["Technique – T1102.003 Web Service: One-Way Communication Description: Using Telegram bot tokens to receive commands and exfiltrate data."] class c2_web_service command_control c2_dynamic_res["Technique – T1568 Dynamic Resolution Description: Utilizing dynamic methods to communicate with C2 infrastructure."] class c2_dynamic_res command_control %% Credential Access and Exfiltration Phase cred_files["Technique – T1552.001 Unsecured Credentials: Credentials In Files Description: Scanning local filesystem for Solana wallet JSON files id.json, SSH keys id_rsa, AWS credentials, and .env files."] class cred_files credential_access exfil_c2["Technique – T1041 Exfiltration Over C2 Channel Description: Sending stolen sensitive data out via the Telegram API."] class exfil_c2 exfiltration %% Connections attack_supply_chain –>|leads_to| op_exec_trigger op_exec_trigger –>|requires| attack_user_exec_copy op_exec_trigger –>|requires| attack_user_exec_lib attack_user_exec_copy –>|triggers| attack_event_trigger attack_user_exec_lib –>|triggers| attack_event_trigger attack_event_trigger –>|downloads_via| attack_drive_by attack_drive_by –>|installs| payload_deno payload_deno –>|establishes| persist_active_setup payload_deno –>|establishes| persist_windows_service persist_active_setup –>|communicates_via| c2_web_service persist_windows_service –>|communicates_via| c2_web_service c2_web_service –>|uses| c2_dynamic_res payload_deno –>|performs_credential_access| cred_files cred_files –>|data_sent_via| exfil_c2 exfil_c2 –>|uses| c2_web_service "

Attack Flow

Attack Narrative & Commands: The attacker has gained initial access and intends to maintain a foothold. They decide to use a Deno-based payload. To hide the execution of the terminal, they use the --headless flag for conhost.exe. They execute a command that modifies the HKCUSoftwareMicrosoftWindowsCurrentVersionRun registry key, adding a value named DenoUpdater that executes conhost.exe --headless deno.exe [malicious_script]. This will ensure the payload runs silently in the background upon user login.

Regression Test Script:

# Simulation of Deno-based persistence via Registry Run Key
$RegistryPath = "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$Name = "DenoUpdater"
$Value = "C:WindowsSystem32conhost.exe --headless C:UsersPublicdeno.exe malicious_payload.js"

Write-Host "[*] Simulating persistence mechanism..."
New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType String -Force
Write-Host "[+] Registry key created. Check SIEM for alert."

Cleanup Commands:

# Cleanup the simulated persistence
$RegistryPath = "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$Name = "DenoUpdater"

if (Get-ItemProperty -Path $RegistryPath -Name $Name -ErrorAction SilentlyContinue) {
    Remove-ItemProperty -Path $RegistryPath -Name $Name -Force
    Write-Host "[+] Cleanup complete. Registry key removed."
} else {
    Write-Host "[-] Cleanup failed: Registry key not found."
}

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free