Fake Solana Trading Bot on GitHub Steals Crypto Wallets Through Malware
July 4, 2025 — A malicious GitHub repository impersonating a legitimate Solana trading bot was discovered to contain crypto-stealing malware, resulting in the theft of users’ cryptocurrency funds, according to blockchain security firm SlowMist.
Disguised as a Trading Tool, Actually Malware
The fraudulent repository, named solana-pumpfun-bot and hosted by GitHub user “zldp2002,” appeared to be an open-source Node.js project designed for Solana ecosystem trading automation. However, SlowMist’s investigation revealed it to be a scam. The repo had amassed a relatively high number of stars and forks, indicators that likely increased its perceived legitimacy within the community.
SlowMist began investigating after a user reported stolen funds on Thursday, raising alarms about the repository’s true purpose. The bot’s code commits were all made within a short timespan roughly three weeks prior to the discovery and exhibited suspicious irregularities in design and structure, inconsistent with a genuine project.
Obfuscated Malicious Packages Steal Wallet Data
Central to the scam was a third-party dependency named crypto-layout-utils, which had already been removed from the official Node Package Manager (NPM) registry before the investigation. This raised concerns about how the victim had obtained the package. Further digging revealed that the attacker hosted this malicious package separately on GitHub to facilitate downloads.
SlowMist’s researchers de-obfuscated the code, which had been heavily cloaked using the jsjiami.com.v7 obfuscation tool, complicating initial analysis. After analysis, the code was confirmed to perform stealthy scans of local files for wallet-related content—such as private keys and credentials—and upload the harvested information to a remote server controlled by the attacker. Such stolen data enables cybercriminals to drain victims’ crypto wallets.
Multiple Repositories and Accounts Involved
Further analysis indicated that the cybercriminal controlled multiple GitHub accounts designed to fork well-known projects and inject malicious variations. This tactic also boosted fork and star counts artificially to increase visibility and trustworthiness.
Besides crypto-layout-utils, some forked projects included another malicious NPM package bs58-encrypt-utils-1.0.3, created on June 12, marking the probable start of this malicious campaign. These findings suggest a coordinated supply chain attack distributing compromised Node.js projects throughout the Solana development ecosystem.
A Growing Trend of Crypto Supply Chain Attacks
This incident is the latest in a series of software supply chain compromises targeting cryptocurrency users. Recent attacks have included fake wallet extensions targeting Firefox users and manipulations of GitHub repositories to deliver credential-stealing malware. These campaigns exploit users’ trust in open-source platforms and third-party dependencies, highlighting ongoing vulnerabilities within the crypto ecosystem’s software infrastructure.
What Users Should Do
- Verify the authenticity of any trading bots or packages before installation, especially from GitHub.
- Avoid downloading dependencies removed from official registries like NPM.
- Use offline or hardware wallets for better security against malware-based credential theft.
- Keep security software updated and conduct regular checks on wallet activity.
- Report suspicious repositories or packages promptly to security firms or platform maintainers.
SlowMist’s investigation underscores the importance of vigilance within crypto communities as attackers refine tactics that prey on developer trust and open-source ecosystems. Users and developers alike are urged to exercise caution and perform due diligence when interacting with trading tools and third-party packages.
For further updates on security in blockchain projects and crypto ecosystems, stay tuned.
Reported by Adrian Zmudzinski for Cointelegraph
© Cointelegraph 2013 – 2025. Independent journalism covering crypto, blockchain, fintech.