a campaign of 20 malicious npm and PyPI packages that target Solana developers.. The packages used fake stable-build fixes, typosquatting, fake Solana SDK branding, working-looking library code, and lifecycle execution to steal wallet keys, cloud credentials, source-control tokens, SSH keys, and environment secrets.
AGS-2026-0005
Malicious npm and PyPI Package Campaign Targeting Solana Developers
Affected
- namePattern
- @solana-labs/web3.js
- namePattern
- @solana-labs/web3js
- namePattern
- @solana-labs/web3-js
- namePattern
- @solana-labs/spl-toke
- namePattern
- @solana-labs/ancor
- namePattern
- @solana-labs/etherjs
- namePattern
- solana-web3-stable
- versionRange
- /patched /fixed
- namePattern
- solana-web3-community
- versionRange
- /fork /lts /v1
- namePattern
- solana-rpc-client
- namePattern
- solana-js-client
- namePattern
- solana-mev-bot
- namePattern
- cms-storehub
- namePattern
- cms-helpgit
- namePattern
- cms-github
- namePattern
- to-cms
- namePattern
- shopifyto-cms
- namePattern
- http://104.239.66.223:8899
- namePattern
- http://77.90.185.225/v026a4a141fd9e7d2dd.js
Self-check
AgentGuard subscribers receive this advisory automatically and their local guard runs the inspection below.
Inspect paths
~/.nvm/**/node_modules/~/.openclaw/**/node_modules/~/.npm/_npx/./Library/Caches/C:\Users\*\AppData\Local\Temp\*%LOCALAPPDATA%\npm-cache\_npx\
Remediation: uninstall— Self-Check Procedures
1. Comprehensive Dependency Audit
Run the following commands in the root directory of all frontend and Python projects to detect any hidden malicious packages:
# Check if the npm project contains malicious packages with the @solana-labs namespace or solana-web3- variations
npm ls --depth=Infinity | grep -E "solana-labs|solana-web3-|solana-rpc|solana-js|solana-mev|cms-|to-cms"
# Check if the Python environment has any compromised packages installed
pip list | grep -E "solana-web3|solana-cli|spl-token"
2. Persistence Backdoor & Registry Audit
Certain CMS-themed malicious packages write backdoors into the Windows Registry startup entries. Run the following check in cmd.exe or PowerShell:
# Check if the current user's Registry Run keys contain unauthorized Deno or headless conhost execution commands
Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run'
3. Network Connection Audit
Check the local system for any active, anomalous connections established with the attacker's Command and Control (C2) servers:
# Check if any process is listening on or connecting to port 10092
netstat -ano | grep 10092
Remediation & Recovery Guide
If the self-check flags any of the poisoned packages or malicious paths, simply deleting the package is insufficient (as the backdoor payload may have already executed). You must immediately initiate the following closed-loop containment and recovery procedures:
1. Network Isolation & Uninstallation
Immediately halt operations on the affected local machine or CI/CD pipeline. Forcefully uninstall the malicious packages and clean up your lockfiles:
npm uninstall <name_of_matched_malicious_package>
pip uninstall <name_of_matched_malicious_package>
2. Asset Relocation (Critical)
Because this malware specifically targets and immediately exfiltrates id.json and wallet.json files upon execution, you must assume your Solana wallet private keys have been compromised! Immediately generate a brand-new wallet address on a completely separate, clean, and secure machine, and transfer all remaining assets (SOL and any SPL tokens) out of the old wallet.
3. Comprehensive Credential Rotation
Immediately revoke and replace all credentials stored on the compromised machine or exposed in its environment variables, including:
SSH Keys: Regenerate your id_rsa and remove the old public key from any server's authorized_keys.
Cloud Provider Credentials: Rotate AWS, Alibaba Cloud, or other cloud infrastructure Access Keys and Secret Keys.
Source Control & Registry Tokens: Revoke and reissue GitHub Tokens, npm Tokens, and deployment secrets.
Environment Secrets: Change any database passwords or third-party API Keys defined in your .env files.
4. Environment Re-imaging
Since the malicious packages ensure persistence via Windows Scheduled Tasks, Registry Run keys, Linux/macOS crontab @reboot entries, or LaunchAgents, attempting manual cleanup is highly discouraged. It is strongly recommended to completely re-image the operating system, or destroy and rebuild the affected CI/CD containers/virtual machines from a trusted baseline image.