Solana Bot Scam on GitHub Steals Crypto from Users

A malicious GitHub repository posing as a legitimate Solana trading bot has been exposed for reportedly hiding crypto-stealing malware. According to a recent report by blockchain security firm SlowMist, the now-deleted solana-pumpfun-bot repository hosted by account “zldp2002” was used to distribute obscured malware that stole crypto wallet credentials.

The malicious GitHub repository in question featured "a relatively high number of stars and forks," according to SlowMist. This raised suspicions among investigators, who noticed that all code commits across all its directories were made about three weeks ago, with apparent irregularities and a lack of consistent pattern that would indicate a legitimate project.

The project is Node.js-based and leverages the third-party package crypto-layout-utils as a dependency. However, upon further inspection by SlowMist, they found that this package had already been removed from the official NPM registry. This raised more questions about how the victim had downloaded the package, prompting investigators to dig deeper.

Investigating further, SlowMist discovered that the attacker was downloading the library from a separate GitHub repository. After analyzing the package, they found it to be heavily obfuscated using jsjiami.com.v7, making analysis harder. However, after de-obfuscation, investigators confirmed that it was a malicious package that scans local files, and if it detects wallet-related content or private keys, it would upload them to a remote server.

Relatedly, SlowMist also discovered that the attacker likely controlled a batch of GitHub accounts. These accounts were used to fork projects into malicious variations, distributing malware while artificially inflating fork and star counts. Multiple forked repositories exhibited similar features, with some versions incorporating another malicious package, bs58-encrypt-utils-1.0.3.

This package was created on June 12, which is when SlowMist researchers said they believed the attacker began distributing malicious NPM modules and Node.js projects. The incident is the latest in a string of software supply chain attacks targeting crypto users.

In recent weeks, similar schemes have targeted Firefox users with fake wallet extensions and used GitHub repositories to host credential-stealing code. These attacks highlight the growing threat of malware and phishing campaigns aimed at cryptocurrency users.

As cybersecurity firms continue to monitor the situation, it is essential for Solana and other crypto projects to take proactive measures to protect their users from such malicious activities. By implementing robust security measures and staying vigilant, these projects can help prevent similar attacks in the future.