A malicious GitHub repository posing as a Solana trading bot has been discovered spreading obfuscated malware to steal cryptocurrency wallet credentials. The fake project, which impersonated a legitimate open-source tool, was flagged by blockchain security firm SlowMist in a report published on Friday.

The repository, named solana-pumpfun-bot and hosted by the account “zldp2002,” was deceptively popular, featuring a significant number of stars and forks, metrics typically associated with trust and legitimacy on GitHub. However, after a user reported stolen funds on Thursday, SlowMist initiated an investigation that revealed deeply embedded malicious code.

Obscured Malware Hidden in Node.js Package

The scam project was built using Node.js and included a dependency on a third-party package called crypto-layout-utils. SlowMist noted that this package had already been removed from the official Node Package Manager (NPM) registry, raising questions about its source.

Further inspection revealed that the attacker was downloading the suspicious package from a separate GitHub repository rather than the NPM registry. SlowMist researchers discovered that the malware was heavily obfuscated using jsjiami.com.v7, a tool that makes code analysis significantly more difficult.

Upon de-obfuscation, the package was found to scan local files for wallet-related content and private keys. If detected, the information was uploaded to a remote server controlled by the attacker, effectively giving them full access to users’ crypto assets.

Wider Network of Malicious Forks Uncovered

SlowMist’s investigation didn’t stop at the initial repository. Analysts discovered that the attacker was likely operating multiple GitHub accounts, each used to fork open-source projects into malicious variations. These accounts artificially inflated their projects’ credibility by boosting star and fork counts, further deceiving unsuspecting users.

A screenshot of the now-deleted GitHub repository. Source: SlowMist

Many of these forked repositories shared common malicious patterns. One such variant included another newly created NPM package named bs58-encrypt-utils-1.0.3, which was added on June 12. SlowMist believes this marks the beginning of the attacker’s broader campaign to distribute malware through GitHub and NPM modules.

Growing Threat of Supply Chain Attacks in Crypto

This incident is part of a rising trend of software supply chain attacks targeting crypto users. In recent weeks, attackers have employed similar tactics, such as distributing fake wallet extensions for Firefox and planting credential-stealing code in public repositories to compromise digital assets.

The attack underscores the increasing sophistication of crypto-related cyber threats and the need for developers and users alike to exercise extreme caution when downloading code or installing third-party packages. Even repositories with high engagement metrics can be deceptive.

Safety Recommendations for Developers and Users

To avoid falling victim to such schemes, experts recommend:

• Verifying GitHub repository sources and contributors.

• Avoiding recently uploaded or forked repositories with irregular activity.

• Checking for missing or removed dependencies from official registries.

• Using open-source tools only from well-established or verified publishers.

• Running new code in isolated environments before connecting wallets or entering credentials.

The Solana bot scam serves as a stark reminder of the evolving risks in the crypto space. As attackers become more strategic, the responsibility lies with both users and developers to stay vigilant and security-conscious.