Solana PumpFun Bot Turns Out to Be Malware in Disguise
04.07.2025 9:00 2 min. read Kosta Gushterov
A malicious open-source project on GitHub disguised as a Solana trading bot has compromised user wallets, according to a July 2, 2025, report by cybersecurity firm SlowMist.
The project, called “solana-pumpfun-bot”, was published under the GitHub user zldp2002 and quickly gained traction in the community. But instead of offering real functionality, the bot silently stole cryptocurrencies from users’ wallets and funneled the funds to a platform called FixedFloat.
Fake Package, Real Damage
SlowMist’s investigation revealed that the bot was built with Node.js and used a shady dependency named “crypto-layout-utils”, which isn’t listed in official NPM repositories. Once installed, this package silently scanned for private keys and wallet files on the user’s device and sent them to an attacker-controlled server, githubshadow.xyz.
The malware’s code was heavily obfuscated, making it difficult to detect. The attacker also forked the project multiple times using fake GitHub accounts, amplifying exposure. Some of these forks used an alternate malicious package, “bs58-encrypt-utils-1.0.3”.
Attack Active Since Mid-June
The attack appears to have been active since June 12, 2025, and was only discovered after a victim contacted SlowMist a day after installing the project. Post-exploit on-chain analysis using SlowMist’s MistTrack tool confirmed the stolen funds were routed to FixedFloat.
Expert Warning
SlowMist strongly cautioned against running GitHub-based open-source software that interacts with wallets or private keys unless done in a highly isolated environment. The firm recommends avoiding suspicious or unverified packages, especially in crypto bot frameworks and automation tools.
The case underscores the growing risk of social engineering and dependency hijacking in open-source crypto development — and the importance of verifying every component before execution.
-
1
Celsius Founder Forfeits Bankruptcy Claims Following Prison Sentence
19.06.2025 18:00 1 min. read -
2
As Court Battles Intensify, Crypto Stands Behind Tornado Cash Devs
14.06.2025 17:00 2 min. read -
3
Paradigm Joins Legal Fight to Defend Tornado Cash Co-Founder
18.06.2025 21:00 1 min. read -
4
Pennsylvania Man Sentenced to 8 Years for $40M Crypto Ponzi Scheme
28.06.2025 11:30 1 min. read -
5
Crypto Theft Surges to $2.1B in 2025: State Actors Lead Historic Wave of Attacks
27.06.2025 16:30 2 min. read
Pennsylvania Man Sentenced to 8 Years for $40M Crypto Ponzi Scheme
The U.S. Department of Justice has sentenced Dwayne Golden, 57, of Pennsylvania to 97 months in prison for orchestrating a fraudulent crypto investment scheme that stole over $40 million from investors.
Crypto Theft Surges to $2.1B in 2025: State Actors Lead Historic Wave of Attacks
The first half of 2025 has become the most damaging six-month period in crypto history, with over $2.1 billion stolen across 75+ separate incidents, according to new data.
Crypto Users Targeted as Cointelegraph and CoinMarketCap Fall to Front-End Hacks
A new breed of cyber-attack is sweeping through crypto media, exploiting site pop-ups and wallet-connect prompts instead of smart-contract bugs.
CoinMarketCap Potentially Compromised in Ongoing Front-End Attack
CoinMarketCap, one of the most widely used crypto data tracking platforms, is reportedly facing a front-end security breach, with multiple users encountering a suspicious prompt to verify their wallets.
-
1
Celsius Founder Forfeits Bankruptcy Claims Following Prison Sentence
19.06.2025 18:00 1 min. read -
2
As Court Battles Intensify, Crypto Stands Behind Tornado Cash Devs
14.06.2025 17:00 2 min. read -
3
Paradigm Joins Legal Fight to Defend Tornado Cash Co-Founder
18.06.2025 21:00 1 min. read -
4
Pennsylvania Man Sentenced to 8 Years for $40M Crypto Ponzi Scheme
28.06.2025 11:30 1 min. read -
5
Crypto Theft Surges to $2.1B in 2025: State Actors Lead Historic Wave of Attacks
27.06.2025 16:30 2 min. read