Cybersecurity firm SlowMist has issued a warning about a new type of crypto scam masquerading as a legitimate trading bot for Solana.
Innocent Bot With a Dangerous Twist
A user downloaded an open-source bot from GitHub, ran it, and soon after, their wallet was emptied. The project, called 'solana-pumpfun-bot,' appeared to be normal, boasting stars, forks, and even recent commits. However, it was a Node.js app with a hidden dependency – a package linked from a custom GitHub URL, allowing the malicious package to bypass NPM's security checks.
Faked Popularity on GitHub
To appear safe, the attacker used fake GitHub accounts to star and fork the project, giving it the semblance of wide usage. However, according to SlowMist, the entire codebase was uploaded just three weeks ago, indicating something was amiss. In a tweet, SlowMist stated, 'The perpetrator disguised a malicious program as a legit open-source project... users unknowingly ran a Node.js project with embedded malicious dependencies, exposing their private keys and losing assets.'
Important Warning for Devs and Traders
SlowMist advises users to never trust GitHub projects blindly, particularly those that require wallet access or deal with private keys. If you need to test such tools, it is advisable to do so in a sandboxed environment, avoiding real assets. The team warned, 'If you must test them, do so in a sandboxed, isolated environment with no sensitive data.'
As more traders and developers rely on open-source tools in crypto, such attacks are becoming harder to spot. The takeaway is simple: if a GitHub project deals with your wallet, treat it like it’s high-risk!
