TL;DR

• A fake GitHub “Solana trading bot” called solana‑pumpfun‑bot contained malware that stole wallet keys from users.
• Designed in Node.js, it relied on hidden NPM packages (crypto-layout-utils, later bs58-encrypt-utils) not found in official registries.
• Attackers forked and starred repositories to appear legitimate. SlowMist says the malware quietly scanned files and exfiltrated keys to githubshadow.xyz.
• The scam, active since mid‑June, highlights growing threats in open-source and software supply chains. Users are urged to vet dependencies carefully.

On July 2, SlowMist , a blockchain security firm, alerted the crypto community to a malicious GitHub project masquerading as a Solana trading bot. A user had downloaded and ran the repository zldp2002/solana-pumpfun-bot only, and saw their crypto vanish. The project, built with Node.js, appeared legitimate complete with forks, stars, and recent commits. But behind the façade, it concealed danger.

According to SlowMist, the project referenced a dependency called crypto-layout-utils, which had mysteriously been removed from the official NPM registry, a red flag  .

Obfuscated Malware in Plain Sight

Digging deeper, SlowMist found that the package was being sourced from a private GitHub release, not NPM. After de-obfuscating the code, they discovered it would:

1. Scan local files for wallet-related data or private keys.
2. Upload any found keys to a remote server under attacker control (githubshadow.xyz)  .

SlowMist also linked the scam to many GitHub accounts, all of which forked the bot to inflate its popularity and mask malicious intent. Further forks used a second malicious module, bs58-encrypt-utils, introduced around June 12 .

Victims Report Funds Gone

The breach first surfaced when a victim reached out to SlowMist on July 2, alerting them that a downloaded “legit” bot had drained their wallet . On-chain analysis traced stolen funds to FixedFloat, a swap platform known for minimal verification, a common exit point for stolen assets  .

Malware in the Real-World Supply Chain

Over the past year, cybercriminals have increasingly weaponized open-source tools and supply-chain systems to inject malware, affecting libraries, browser extensions, and bots that are often trusted by developers and users  .

By mimicking legitimate tools and manipulating project metrics, attackers can fool even experienced developers into running malicious code.

How to Stay Safe

With these attacks getting more sophisticated, here’s how you can protect yourself:

• Inspect dependencies: If a package has been removed from NPM or is sourced externally, treat it with suspicion.
• Check project history: An abrupt spike in stars/forks and no long-term activity can signal a trap.
• Use sandboxed environments: Never run unverified tools on systems that contain sensitive data or live wallets.
• Run static analysis tools: Basic scanners can flag obfuscated or network-requesting code.
• Stay informed: Follow security alerts from firms like SlowMist for real-time updates.

Final Thought

The solana-pumpfun-bot scam is a stark reminder that not all open-source code is trustworthy even if it looks popular and active. In the rapidly evolving world of crypto, vigilance matters more than ever. Whether you’re a trader, developer, or node hobbyist, scrutinize every repository and dependency before trusting your private keys. When in doubt, run code in isolation or skip it altogether.

Open-source has immense power but it’s only as safe as the habits of those who use it.

READ MORE: Top Mid Cap 7 Coins to Invest In For 2025