A GitHub repository, disguising itself as a legitimate Solana Trading BOT, has come under scrutiny for allegedly harboring malware that steals cryptocurrency. According to a report from Friday, the repository known as Solana-Pumpun-Bot, managed by the account “ZLDP2002” and flagged by blockchain security firm SlowMist, imitates a genuine open-source tool for gathering user credentials. Concerns escalated after users noticed their funds missing on Thursday, prompting SlowMist to initiate an investigation.
This questionable GitHub repository has garnered a surprisingly high number of stars and forks. However, all code updates appeared to have occurred around three weeks prior, exhibiting no clear signs of irregularities or the consistencies one might expect from valid projects, according to the findings from SlowMist.
Built on node.js, the project relies on a third-party package named Crypto-layout-utils. SlowMist later discovered that this package had been removed from the official NPM registry.
Scrutinized NPM Packages
The unavailability of these packages for download from the Official Node Package Manager (NPM) raised questions on how victims were able to obtain them. Further investigation revealed that the attacker had sourced the library from a different GitHub repository. Researchers at SlowMist noted that the package was heavily obfuscated using jsjiami.com.v7, complicating their analysis. Ultimately, they confirmed that this malicious package was designed to scan local files and upload any wallet-related information or private keys it found to a remote server.
More Than One Repository
SlowMist’s investigation indicated that the attackers might control multiple GitHub accounts. These accounts were leveraged to create various malicious project iterations, inflate star and fork counts artificially, and propagate malware. Some repositories featured similar functionalities, while a particular version contained an additional malicious package named BS58-Encrypt-Utils-1.0.3, which was created on June 12. Researchers suspect that the attacker has begun spreading these harmful NPM modules and node.js projects.
This incident forms part of a broader trend of software supply chain attacks targeting cryptocurrency users. In recent weeks, a similar scheme has impacted Firefox users by utilizing fake wallet extensions hosted on GitHub to capture their credentials.
