Fake Solana Trading Bot on GitHub Steals Cryptocurrency
A fraudulent GitHub repository, disguised as a legitimate Solana trading bot, was recently exposed for distributing malware designed to steal cryptocurrency wallet credentials. Cybersecurity firm SlowMist uncovered the scam, shedding light on the risks of software supply chain attacks in the cryptocurrency sector.
How the Solana Bot Scam Worked
The malicious repository, named solana-pumpfun-bot and hosted by the account “zldp2002,” impersonated a genuine open-source tool to collect user credentials. Despite its high number of stars and forks, which suggested credibility, SlowMist identified inconsistencies in the code commits and an absence of the usual patterns found in authentic projects.
The Threat of Malicious Packages
The Node.js-based project relied on a third-party package, crypto-layout-utils, previously available on the official NPM registry but later removed. Obfuscation techniques made the package difficult to analyze. Upon de-obfuscation, researchers confirmed its malicious function: it scanned local files for wallet-related data or private keys and transmitted them to a remote server.
Key Facts About the GitHub Crypto Scam
- The fraudulent repository was taken down after discovery.
- The malicious package was sourced from an alternative GitHub repository following its removal from NPM.
- Similar attacks have recently involved fake wallet extensions targeting Firefox users.
Expert Insight on Crypto Security
“This incident highlights the need for thorough verification of open-source tools before use,” a SlowMist spokesperson advised. “Users should scrutinize commit history and contributor activity to identify potential warning signs.”
