A recent investigation by SlowMist uncovered a fraudulent scheme linked to the open-source project solana-pumpfun-bot on GitHub, which has stolen users' cryptocurrencies.
Incident Overview
SlowMist reported that the open-source project 'solana-pumpfun-bot' published on GitHub contained a fraudulent scheme targeting user wallets. The incident was discovered after a victim contacted the SlowMist team on July 2, 2025.
Malware Analysis
The project was found to be based on Node.js and relied on a third-party package called 'crypto-layout-utils', which was not listed in NPM's official records and has since been removed. The package contained complex and obfuscated code that scanned files containing wallets and private keys, sending that data to an attacker's server called 'githubshadow.xyz'.
User Recommendations
Following the incident, SlowMist experts urged users to exercise extreme caution with software downloaded from open-source platforms like GitHub. It is crucial to run such projects on isolated machines that do not contain sensitive data.
The incident with the solana-pumpfun-bot project highlights the necessity of being cautious with open-source software and the importance of protecting users' personal information.
