TL;DR
- SlowMist uncovered a fake GitHub repository posing as a Solana trading bot that stole wallet funds using hidden malware in its code.
- The malicious package, crypto-layout-utils, was downloaded from an external URL, scanned for private keys, and sent them to a server controlled by the attacker.
- SlowMist confirmed that part of the stolen funds was transferred to FixedFloat and warned about the growing sophistication of these attacks.
A fake GitHub repository used to spread malware has raised alarm across the crypto community following an investigation by cybersecurity firm SlowMist.
The case came to light after a user reported the theft of funds from their wallet, which occurred after downloading and running a supposed Solana trading bot published by the zldp2002 account. The tool, disguised as a legitimate project called solana-pumpfun-bot, quickly gathered an unusually high number of stars and forks, helping to conceal its true purpose.
SlowMist’s analysis revealed that the code, built with Node.js, included a dependency named crypto-layout-utils, which had already been removed from the official NPM registry. Instead, the package-lock.json file had been altered to download this library from a GitHub URL controlled by the attacker. After de-obfuscating the package, researchers confirmed it contained functions designed to scan local files for wallets or private keys and send them to an external server.
SlowMist Found Stolen Funds Moved to FixedFloat
SlowMist also uncovered a network of fake GitHub accounts used to fork projects and replicate malware versions, artificially inflating public metrics to attract more downloads. Some of these forks included another malicious dependency, bs58-encrypt-utils-1.0.3, which began circulating in mid-June. After this package was removed from NPM, attackers switched to using custom download links to keep the operation active.
Using on-chain tracking tools, SlowMist detected that a portion of the stolen funds was moved to the FixedFloat platform. The operation combined social engineering techniques with dependency manipulation in open-source projects, leading some unsuspecting users to run malicious code on their systems.
This incident is a clear demonstration of the growing sophistication behind attacks targeting the crypto sector. Investigators warned of the risks posed by unverified tools that handle assets and advised isolating test environments while carefully inspecting the origin and dependencies of any software before execution.
