The fake “solana-pumpfun-bot” project appeared on GitHub under the user zldp2002, quickly gaining popularity among Solana traders. Its apparent legitimacy was bolstered by a high number of stars and forks, making it seem like a trusted community tool.
Users downloaded and ran the Node.js-based bot, unaware that it harbored hidden malware. Instead of providing trading functionality, the malicious code silently scanned devices for wallet files and private keys, sending them to an attacker-controlled server. Victims reported their wallets were drained, with funds funneled to the crypto service FixedFloat.
Obfuscated Code and Rogue Dependencies Bypass Traditional Security
The bot’s malicious payload was concealed using heavy code obfuscation, making it difficult for both users and automated security tools to detect its true intent. The project included a dependency, “crypto-layout-utils,” which was not fetched from the official NPM registry but instead from a disguised GitHub release.
By sidestepping standard package repositories, the attacker bypassed NPM’s security checks and allowed the malware to operate undetected. Once installed, the package scanned local systems for sensitive wallet data and uploaded it to a remote server, githubshadow.xyz. Some clones of the bot used an alternate malicious package, “bs58-encrypt-utils-1.0.3,” to expand the attack’s reach.
Did you know?
Supply chain attacks like this are not unique to Solana. Similar tactics have targeted other blockchain ecosystems, exploiting open-source trust and dependency management to steal millions in digital assets over the past year.
Fake Credibility and Social Proof Fuel the Scam’s Spread
The attacker amplified the bot’s credibility by forking the project across multiple fake GitHub accounts. This artificial inflation of stars and forks made the repository look more legitimate, encouraging more users to trust and install the software.
Detailed documentation, recent commits, and references to real Solana tools further masked the scam. These tactics exploited the open-source community’s reliance on social proof and transparency, turning trust into a vulnerability.
ALSO READ | Will Real-Time Social Sentiment on X Beat AI Analysis for Early Crypto Signals?
Supply Chain Attacks Target Developers and End Users Alike
This incident highlights the growing threat of software supply chain attacks in the crypto ecosystem. By manipulating dependencies and leveraging open-source distribution, attackers can compromise both developers and end users.
The malicious package was never listed in official repositories, making it harder for automated systems to flag. Users who installed the bot inadvertently exposed their wallets, while developers integrating such tools risked passing the malware further downstream.
On-Chain Analysis Traces Stolen Funds to Obfuscation Services
After the scam was uncovered, blockchain security firm SlowMist used on-chain analysis tools to trace the stolen assets. Funds were quickly routed through FixedFloat, a service often used in suspicious transactions, complicating recovery efforts.
The attack was active from at least June 12, 2025, and only came to light after a victim reported their loss. The incident underscores the importance of vigilance, secure coding practices, and the need for enhanced supply chain security in the rapidly evolving crypto landscape.
Comments (0)
Please sign in to leave a comment
No comments yet. Be the first to share your thoughts!