Author: Thinking

Editor: Liz

Background Overview

On July 2, 2025, a victim contacted the Slow Mist security team for assistance in analyzing the reason behind the theft of their wallet assets. The incident originated from their use of an open-source project hosted on GitHub — zldp2002/solana-pumpfun-bot the day before, after which their crypto assets were stolen.

Analysis Process

We immediately began investigating the incident. First, we visited the project's GitHub repository, where we noticed a relatively high number of Stars and Forks. However, the code commit timestamps in various directories were all concentrated around three weeks ago, showing a clear anomaly and a lack of the continuous update trajectory that a normal project should have.

This is a Node.js-based project. We first analyzed its dependencies and found that it referenced a third-party package named crypto-layout-utils.

Further investigation revealed that this dependency had been removed from the official NPM registry, and the version specified in package.json did not appear in the official NPM historical records. We initially judged this package to be suspicious and no longer downloadable from the official NPM source. So how did the victim obtain this malicious dependency?

Delving deeper into the project, we found a key clue in the package-lock.json file: the attacker had replaced the download link for crypto-layout-utils.

We downloaded this suspicious dependency: crypto-layout-utils-1.3.1, and found that it contained highly obfuscated code using jsjiami.com.v7, which increased the difficulty of analysis.

After deobfuscation, we confirmed that this was a malicious NPM package. The attacker implemented logic in crypto-layout-utils-1.3.1 to scan the victim's computer files, uploading any content or files related to wallets or private keys to a server controlled by the attacker (githubshadow.xyz).

Malicious NPM package scanning for sensitive files and directories:

Malicious NPM package uploading content or files containing private keys:

We continued to explore the attack methods, suspecting that the project author controlled a number of GitHub accounts to Fork malicious projects and distribute malicious programs, while also inflating the Fork and Star counts of the project to attract more users and expand the distribution of the malicious program.

We also identified multiple Forked projects exhibiting similar malicious behavior, some of which used another malicious package, bs58-encrypt-utils-1.0.3.

This malicious package was created on June 12, 2025, suggesting that the attacker had already begun distributing malicious NPM and Node.js projects at that time. However, after NPM removed bs58-encrypt-utils, the attacker switched to distributing by replacing the NPM package download links.

Additionally, we used on-chain anti-money laundering and tracking tool MistTrack to analyze that one of the attacker's addresses transferred stolen funds to the trading platform FixedFloat.

Conclusion

In this attack incident, the attacker disguised themselves as a legitimate open-source project (solana-pumpfun-bot) to lure users into downloading and running malicious code. Under the guise of inflating the project's popularity, users unknowingly ran a Node.js project with malicious dependencies, leading to the leakage of wallet private keys and asset theft.

The entire attack chain involved multiple GitHub accounts working in coordination, expanding the spread and enhancing credibility, making it highly deceptive. Moreover, such attacks combine social engineering and technical means, making it difficult to completely defend against them within organizations.

We advise developers and users to be highly vigilant about unknown GitHub projects, especially when dealing with wallet or private key operations. If debugging is necessary, it is recommended to run and debug in an isolated environment without sensitive data.

Information on Malicious Dependency Packages

GitHub repositories of malicious Node.js projects:

2723799947qq2022/solana-pumpfun-bot

2kwkkk/solana-pumpfun-bot

790659193qqch/solana-pumpfun-bot

7arlystar/solana-pumpfun-bot

918715c83/solana-pumpfun-bot

AmirhBeigi7zch6f/solana-pumpfun-bot

asmaamohamed0264/solana-pumpfun-bot

bog-us/solana-pumpfun-bot

edparker89/solana-pumpfun-bot

ii4272/solana-pumpfun-bot

ijtye/solana-pumpfun-bot

iwanjunaids/solana-pumpfun-bot

janmalece/solana-pumpfun-bot

kay2x4/solana-pumpfun-bot

lan666as2dfur/solana-pumpfun-bot

loveccat/solana-pumpfun-bot

lukgria/solana-pumpfun-bot

mdemetrial26rvk9w/solana-pumpfun-bot

oumengwas/solana-pumpfun-bot

pangxingwaxg/solana-pumpfun-bot

Rain-Rave5/solana-pumpfun-bot

wc64561673347375/solana-pumpfun-bot

wj6942/solana-pumpfun-bot

xnaotutu77765/solana-pumpfun-bot

yvagSirKt/solana-pumpfun-bot

VictorVelea/solana-copy-bot

Morning-Star213/Solana-pumpfun-bot

warp-zara/solana-trading-bot

harshith-eth/quant-bot

Malicious NPM packages:

crypto-layout-utils

bs58-encrypt-utils

Malicious NPM package download link

Server for uploading data from malicious NPM packages:

githubshadow.xyz

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。