Coin WorldFriday, Jul 4, 2025 10:20 am ET

2min read

A GitHub repository posing as a legitimate Solana trading bot has been exposed for reportedly hiding crypto-stealing malware. The now-deleted solana-pumpfun-bot repository hosted by account “zldp2002” mimicked a real open-source tool to harvest user credentials. The investigation was launched after a user found that their funds had been stolen on Thursday.

The malicious GitHub repository in question featured “a relatively high number of stars and forks,”. All code commits across all its directories were made about three weeks ago, with apparent irregularities and a lack of consistent pattern that would indicate a legitimate project. The project is Node. JS-based and leverages the third-party package crypto-layout-utils as a dependency. Upon further inspection, it was found that this package had already been removed from the official NPM registry.

A suspicious NPM package was discovered, which could no longer be downloaded from the official node package manager (NPM) registry. Investigators found that the attacker was downloading the library from a separate GitHub repository. After analyzing the package, researchers found it to be heavily obfuscated using jsjiami.com.v7, making analysis harder. After de-obfuscation, investigators confirmed that it was a malicious package that scans local files, and if it detects wallet-related content or private keys, it would upload them to a remote server.

Further investigation revealed that the attacker likely controlled a batch of GitHub accounts. These accounts were used to fork projects into malicious variations, distributing malware while artificially inflating fork and star counts. Multiple forked repositories exhibited similar features, with some versions incorporating another malicious package, bs58-encrypt-utils-1.0.3. This package was created on June 12, which is when researchers believed the attacker began distributing malicious NPM modules and Node.js projects.

The incident is the latest in a string of software supply chain attacks targeting crypto users. In recent weeks, similar schemes have targeted users with fake wallet extensions and used GitHub repositories to host credential-stealing code. The scam highlights the growing threat of supply chain attacks in the cryptocurrency space. Supply chain attacks occur when malicious actors infiltrate a legitimate software supply chain to distribute malware. In this case, the attackers used GitHub, a popular platform for open-source projects, to distribute their malware. This allowed them to reach a large number of potential victims, as many users trust GitHub as a reliable source for open-source software.

The cybersecurity firm that uncovered the scam has warned users to be cautious when downloading open-source projects from GitHub. They advise users to verify the authenticity of the project and its developers before downloading any code. Additionally, users should be wary of any project that promises unrealistic returns or seems too good to be true. The firm also recommends using reputable antivirus software and keeping it up-to-date to protect against malware.

The scam serves as a reminder of the importance of cybersecurity in the cryptocurrency space. As the use of cryptocurrency continues to grow, so does the risk of cyber attacks. Users must take steps to protect their assets and be vigilant against potential threats. The cryptocurrency community must also work together to share information and best practices to prevent future attacks. By doing so, they can help to create a safer and more secure environment for all users.