Cybersecurity researchers have uncovered a sophisticated crypto-stealing operation disguised as a Solana trading bot on GitHub, marking the latest software supply chain attack targeting digital asset holders.

Malware Hidden in Popular Repository

Blockchain security firm SlowMist revealed on July 4 that a GitHub account named "zldp2002" had uploaded a fraudulent Solana trading bot called solana-pumpfun-bot. The repository, which has since been removed, reportedly contained obfuscated malware designed to harvest cryptocurrency wallet credentials.

The malicious project mimicked legitimate open-source tools and gained traction through artificially inflated metrics, showing 【857 stars】 and multiple forks before its removal. Security analysts noted the repository displayed several red flags:

• All code commits concentrated within a 3-week period
• Irregular development patterns inconsistent with genuine projects
• Dependence on a suspicious NPM package later removed from registry

Obfuscated Attack Mechanism

Investigators discovered the malware employed advanced evasion techniques, including:

1. Using jsjiami.com.v7 to obscure malicious code
2. Bundling with a malicious dependency (crypto-layout-utils)
3. Scanning local files for wallet data and private keys
4. Exfiltrating stolen credentials to remote servers

——This represents a dangerous evolution in crypto-focused cyberattacks—— noted SlowMist's report, emphasizing how the attackers distributed the malicious package through alternative channels after its removal from NPM's official registry.

Coordinated Campaign Uncovered

Further investigation revealed the operation extended beyond a single repository. The threat actor allegedly controlled multiple GitHub accounts used to:

• Fork legitimate projects into malicious variants
• Distribute additional harmful packages like bs58-encrypt-utils-1.0.3
• Artificially boost repository metrics to appear credible

The security firm traced the campaign's origins to June 12, when the attacker began distributing compromised Node.js projects and NPM modules. This incident follows recent attacks involving fake browser extensions and cloned wallet applications.

Growing Threat to Crypto Ecosystem

This incident highlights three critical vulnerabilities in the crypto space:

1. Overreliance on open-source tools without proper verification
2. Weaknesses in software supply chain security
3. Sophisticated social engineering tactics targeting developers

Security experts recommend developers implement rigorous code audits and verify all third-party dependencies. As of press time, GitHub has removed the identified malicious repositories, but researchers warn similar threats likely remain undetected across the platform.