Solana Trading Bot Scam on GitHub Steals Wallets with Hidden Malware
In a report released by blockchain security firm SlowMist, a deceptive GitHub repository was found to be stealing crypto wallets from users who thought they were downloading a helpful Solana trading tool.
The fraudulent project, named solana-pumpfun-bot, was hosted by an account under the alias zldp2002. It appeared legit on the surface, boasting a decent number of stars and forks to boost credibility. But under the hood, it was pure deception.
What Made the Bot Suspicious?
On first glance, the bot seemed harmless and open-source, like many legitimate trading tools in the Solana ecosystem. But SlowMist investigators quickly noticed something was off:
- All commits were made roughly three weeks ago.
- File structure showed irregularities.
- There was no clear development history or issue reporting.
- It used a removed and suspicious dependency:
crypto-layout-utils.
The biggest red flag? The malicious bot was hosted on a separate GitHub account, not through the secure NPM (Node Package Manager) registry.
Digging Deeper: Obfuscated and Dangerous Code
Upon deeper analysis, SlowMist discovered that the package used a high level of obfuscation—specifically through a method called jsjiami.com.v7. This technique made the malicious code difficult to read, helping it sneak past less experienced eyes.
Once decrypted, the truth came out: the malware scanned users’ local machines for sensitive wallet data or private keys and uploaded it all to a remote server—handing full access to the attackers.
Supply Chain Attack via NPM
Another part of the scam was the inclusion of other malicious packages like bs58-encrypt-utils-1.0.3. Created on June 12, this module was cleverly inserted into otherwise legitimate-looking Node.js projects.
By hijacking the software supply chain, the attackers ensured that even users downloading from trusted platforms like GitHub would fall victim.
Not Just One Repo—It’s a Pattern
The danger doesn’t end with one fake repo.
SlowMist revealed that the attacker likely controlled multiple GitHub accounts, all used to fork and slightly modify legitimate tools. These clones were then repackaged with malware, gaining trust through fake stars, forks, and community interaction.
These tactics aren’t new, but the sophistication and rapid spread raise serious concerns for the crypto community.
Crypto Devs: Watch Your Dependencies
This incident is a wake-up call not just for crypto investors, but developers too.
Key warning signs include:
- Projects that suddenly appear with high stars and forks but no user issues or PRs.
- Use of obscure or removed NPM packages.
- Heavily obfuscated JavaScript files.
- Repos that encourage downloading packages from secondary sources instead of official registries.
If you’re building or using crypto tools, always audit dependencies—even if they look trusted.
Users: How to Protect Yourself
If you downloaded a Solana trading bot recently from GitHub, especially under the name solana-pumpfun-bot, you should take immediate action:
✅ Move your funds to a new wallet.
✅ Revoke all wallet connections.
✅ Delete the malicious files from your device.
✅ Use antivirus or malware scanners for a deep check.
✅ Follow trusted security sources like SlowMist for alerts.
And always remember: don’t trust, verify—especially in open-source environments.
Final Thoughts
As crypto adoption grows, scams are evolving too. The recent GitHub malware campaign highlights a new threat vector: software supply chain attacks targeting casual users and developers alike.
