Solana PumpFun Bot Turns Out to Be Malware in Disguise
04.07.2025 9:00 2 min. read Kosta Gushterov
A malicious open-source project on GitHub disguised as a Solana trading bot has compromised user wallets, according to a July 2, 2025, report by cybersecurity firm SlowMist.
The project, called “solana-pumpfun-bot”, was published under the GitHub user zldp2002 and quickly gained traction in the community. But instead of offering real functionality, the bot silently stole cryptocurrencies from users’ wallets and funneled the funds to a platform called FixedFloat.
Fake Package, Real Damage
SlowMist’s investigation revealed that the bot was built with Node.js and used a shady dependency named “crypto-layout-utils”, which isn’t listed in official NPM repositories. Once installed, this package silently scanned for private keys and wallet files on the user’s device and sent them to an attacker-controlled server, githubshadow.xyz.
The malware’s code was heavily obfuscated, making it difficult to detect. The attacker also forked the project multiple times using fake GitHub accounts, amplifying exposure. Some of these forks used an alternate malicious package, “bs58-encrypt-utils-1.0.3”.
Attack Active Since Mid-June
The attack appears to have been active since June 12, 2025, and was only discovered after a victim contacted SlowMist a day after installing the project. Post-exploit on-chain analysis using SlowMist’s MistTrack tool confirmed the stolen funds were routed to FixedFloat.
Expert Warning
SlowMist strongly cautioned against running GitHub-based open-source software that interacts with wallets or private keys unless done in a highly isolated environment. The firm recommends avoiding suspicious or unverified packages, especially in crypto bot frameworks and automation tools.
The case underscores the growing risk of social engineering and dependency hijacking in open-source crypto development — and the importance of verifying every component before execution.
-
1
SEC Charges Georgia-based First Liberty and Owner in $140 Million Ponzi Scheme
12.07.2025 17:00 2 min. read -
2
Ex-NCA Officer Jailed for Stealing 50 BTC From Dark Web Criminal
17.07.2025 20:00 3 min. read -
3
Crypto Platform Suffers $12 Million Exploit Across Multiple Blockchain Networks
24.07.2025 20:23 2 min. read -
4
CoinDCX Suffers $44M Breach, Customer Funds Remain Secure
20.07.2025 10:00 1 min. read -
5
Justice Department Ends Kraken’s Co-founder Probe, Returns Seized Devices
23.07.2025 11:00 1 min. read
Crypto Platform Suffers $12 Million Exploit Across Multiple Blockchain Networks
WOO X, a popular cryptocurrency trading platform, has been hit by a serious security breach.
$3.1 Billion Lost: Hacken’s 2025 Report Reveals Web3 Security Crisis
The first half of 2025 has already become the most damaging period in Web3 security history, according to Hacken’s newly released Half-Year Security Report.
Justice Department Ends Kraken’s Co-founder Probe, Returns Seized Devices
The U.S. Department of Justice has officially ended its investigation into Kraken co-founder Jesse Powell, according to a Fortune report.
CoinDCX Suffers $44M Breach, Customer Funds Remain Secure
Indian crypto exchange CoinDCX has confirmed a $44 million security breach involving one of its internal liquidity accounts.
-
1
SEC Charges Georgia-based First Liberty and Owner in $140 Million Ponzi Scheme
12.07.2025 17:00 2 min. read -
2
Ex-NCA Officer Jailed for Stealing 50 BTC From Dark Web Criminal
17.07.2025 20:00 3 min. read -
3
Crypto Platform Suffers $12 Million Exploit Across Multiple Blockchain Networks
24.07.2025 20:23 2 min. read -
4
CoinDCX Suffers $44M Breach, Customer Funds Remain Secure
20.07.2025 10:00 1 min. read -
5
Justice Department Ends Kraken’s Co-founder Probe, Returns Seized Devices
23.07.2025 11:00 1 min. read