A recent investigation has revealed a fraudulent repository on GitHub posing as a Solana trading bot and using malware to steal cryptocurrency from users.
Malicious Repository Detection
According to a report published by blockchain security firm SlowMist, the now-deleted solana-pumpfun-bot repository operated by the account 'zldp2002' masqueraded as a legitimate open-source tool to harvest user credentials. SlowMist initiated the investigation after a user reported stolen funds.
Suspicious NPM Package
The malicious repository featured a high number of stars and forks. All code commits were made roughly three weeks ago, raising questions about the legitimacy of the project. SlowMist found that the third-party package crypto-layout-utils was removed from the official NPM registry. Analysis of the package revealed it to be heavily obfuscated, but upon de-obfuscation, researchers confirmed it was malicious, scanning local files for wallet-related information and uploading it to a remote server.
Scope of the Issue
Further investigation revealed that the attacker likely controlled multiple GitHub accounts, used to create forks of projects with malicious alterations. Several forked repositories exhibited similar traits, including the integration of another malicious package that surfaced on June 12. This incident is part of a growing wave of software supply chain attacks targeting cryptocurrency users.
This case serves as a reminder of the risks associated with software from unreliable sources and the need for caution when using open source code.
