Solana FakeFix Campaign: 25 Malicious npm/PyPI Packages Targeting Web3 Developers via GitHub Issue Spam and Trojanized SDK Forks

JFrog Security Research identified 25 malicious npm and PyPI packages in the 'FakeFix' campaign, split into a 20-package cluster impersonating legitimate Solana tooling (e.g., @solana-labs/web3.js, solana-rpc-client) and a 5-package CMS cluster that drops Windows loaders via PowerShell at install time. A threat actor using the GitHub handle 'PassWord1337' spammed open-source project issue trackers to social-engineer developers into replacing legitimate packages with the malicious drop-ins; later-stage packages shipped fully functional Solana bundles with stealer code injected after legitimate exports to evade detection. Defenders should audit npm/PyPI dependencies for these package names, review postinstall hooks, and hunt for Telegram API exfiltration traffic and Deno execution from dev workstations.

Defenders should audit npm/PyPI dependencies for these package names, review postinstall hooks, and hunt for Telegram API exfiltration traffic and Deno execution from dev workstations.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.