Malicious open-source project implanted backdoor NPM package, stealing user private keys leading to Solana wallet asset theft.

Author: Thinking

Editor: Liz

Background Overview

On July 2, 2025, a victim contacted the Slow Mist Security Team for assistance in analyzing the reason behind the theft of their wallet assets. The incident began when they used an open-source project hosted on GitHub — zldp2002/solana-pumpfun-bot the day before, after which their crypto assets were stolen.

Analysis Process

We immediately began investigating the incident. First, we accessed the project's GitHub repository: https://github.com/zldp2002/solana-pumpfun-bot, and noticed that it had a relatively high number of Stars and Forks, but the code commit times in various directories were all concentrated around three weeks ago, showing a clear anomaly and lacking the continuous update trajectory that a normal project should have.

This is a Node.js based project. We first analyzed its dependencies and found that it referenced a third-party package named crypto-layout-utils.

Further investigation revealed that this dependency had been removed from the NPM official registry, and the version specified in package.json did not appear in the NPM official history. We initially judged this package to be suspicious and no longer downloadable through the official NPM source. So, how did the victim obtain this malicious dependency?

Delving deeper into the project, we found a key clue in the package-lock.json file: the attacker had replaced the download link for crypto-layout-utils with: https://github.com/sjaduwhv/testing-dev-log/releases/download/1.3.1/crypto-layout-utils-1.3.1.tgz.

We downloaded this suspicious dependency package: crypto-layout-utils-1.3.1, and found that it contained highly obfuscated code using jsjiami.com.v7, which increased the difficulty of analysis.

After deobfuscation, we confirmed that this was a malicious NPM package, where the attacker implemented logic to scan the victim's computer files in crypto-layout-utils-1.3.1. If it found any content or files related to wallets or private keys, it would upload them to a server controlled by the attacker (githubshadow.xyz).

Malicious NPM package scanning sensitive files and directories:

Malicious NPM package uploading content or files containing private keys:

We continued to explore the attack methods, and the project author (https://github.com/zldp2002/) appeared to control a batch of GitHub accounts used to Fork malicious projects and distribute malicious programs, while also inflating the project's Fork and Star counts to lure more users, thereby expanding the distribution of the malicious program.

We also identified multiple Forked projects exhibiting similar malicious behavior, with some versions using another malicious package bs58-encrypt-utils-1.0.3.

This malicious package was created on June 12, 2025, suggesting that the attacker had already begun distributing malicious NPM and Node.js projects at that time. However, after NPM removed bs58-encrypt-utils, the attacker switched to distributing by replacing the NPM package download links.

Additionally, we used on-chain anti-money laundering and tracking tool MistTrack to analyze and found that one of the attacker's addresses transferred stolen funds to the trading platform FixedFloat.

Summary

In this attack incident, the attacker disguised themselves as a legitimate open-source project (solana-pumpfun-bot), luring users to download and run malicious code. Under the guise of inflating the project's popularity, users unknowingly ran a Node.js project with malicious dependencies, leading to the leakage of wallet private keys and asset theft.

The entire attack chain involved multiple GitHub accounts working in coordination, expanding the spread and enhancing credibility, making it highly deceptive. Moreover, such attacks combine social engineering and technical means, making it difficult to completely defend against them within organizations.

We advise developers and users to be highly vigilant about unknown GitHub projects, especially when it involves wallet or private key operations. If debugging is necessary, it is recommended to run and debug in an isolated environment without sensitive data.

Malicious Dependency Package Information

Malicious Node.js project GitHub repositories:

2723799947qq2022/solana-pumpfun-bot

2kwkkk/solana-pumpfun-bot

790659193qqch/solana-pumpfun-bot

7arlystar/solana-pumpfun-bot

918715c83/solana-pumpfun-bot

AmirhBeigi7zch6f/solana-pumpfun-bot

asmaamohamed0264/solana-pumpfun-bot

bog-us/solana-pumpfun-bot

edparker89/solana-pumpfun-bot

ii4272/solana-pumpfun-bot

ijtye/solana-pumpfun-bot

iwanjunaids/solana-pumpfun-bot

janmalece/solana-pumpfun-bot

kay2x4/solana-pumpfun-bot

lan666as2dfur/solana-pumpfun-bot

loveccat/solana-pumpfun-bot

lukgria/solana-pumpfun-bot

mdemetrial26rvk9w/solana-pumpfun-bot

oumengwas/solana-pumpfun-bot

pangxingwaxg/solana-pumpfun-bot

Rain-Rave5/solana-pumpfun-bot

wc64561673347375/solana-pumpfun-bot

wj6942/solana-pumpfun-bot

xnaotutu77765/solana-pumpfun-bot

yvagSirKt/solana-pumpfun-bot

VictorVelea/solana-copy-bot

Morning-Star213/Solana-pumpfun-bot

warp-zara/solana-trading-bot

harshith-eth/quant-bot

Malicious NPM packages:

crypto-layout-utils

bs58-encrypt-utils

Malicious NPM package download link:

https://github.com/sjaduwhv/testing-dev-log/releases/download/1.3.1/crypto-layout-utils-1.3.1.tgz

Server for uploading data from malicious NPM packages:

githubshadow.xyz

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。