Security Alert: Malicious GitHub Project 'solana-pumpfun-bot' Found Stealing Crypto Wallets
Published at:2025年07月04日 09:22
Views:550
Cybersecurity firm SlowMist has uncovered a fraudulent scheme embedded in the open-source project 'solana-pumpfun-bot' on GitHub, which has been actively draining cryptocurrency wallets. The malicious activity was reported on July 2, 2025, after an affected user contacted SlowMist, revealing that their digital assets were stolen shortly after using the 'zldp2002/solana-pumpfun-bot' repository.
Technical analysis revealed the Node.js-based project contained a suspicious third-party package named 'crypto-layout-utils,' which has since been removed from NPM. The package-lock.json file was manipulated to install malware that scanned users' devices for wallet files and private keys, exfiltrating data to the attacker-controlled domain 'githubshadow.xyz'.
Investigators identified the GitHub account 'zldp2002' as operating multiple fake profiles to distribute forked versions of the project, some implementing alternative malicious packages like 'bs58-encrypt-utils-1.0.3.' SlowMist's MistTrack tool traced partial stolen funds to the FixedFloat exchange platform, with the attack campaign dating back to June 12, 2025.
SlowMist warns GitHub users to exercise extreme caution with repositories handling crypto operations, recommending isolated testing environments for suspicious projects. The firm emphasizes avoiding execution of untrusted code on devices storing sensitive financial information.
Technical analysis revealed the Node.js-based project contained a suspicious third-party package named 'crypto-layout-utils,' which has since been removed from NPM. The package-lock.json file was manipulated to install malware that scanned users' devices for wallet files and private keys, exfiltrating data to the attacker-controlled domain 'githubshadow.xyz'.
Investigators identified the GitHub account 'zldp2002' as operating multiple fake profiles to distribute forked versions of the project, some implementing alternative malicious packages like 'bs58-encrypt-utils-1.0.3.' SlowMist's MistTrack tool traced partial stolen funds to the FixedFloat exchange platform, with the attack campaign dating back to June 12, 2025.
SlowMist warns GitHub users to exercise extreme caution with repositories handling crypto operations, recommending isolated testing environments for suspicious projects. The firm emphasizes avoiding execution of untrusted code on devices storing sensitive financial information.
Related Tags
cryptocurrency
security
GitHub
wallet hack
SlowMist