A malicious open-source project on GitHub disguised as a Solana trading bot has compromised user wallets, according to a July 2, 2025, report by cybersecurity firm SlowMist.
The project, called “solana-pumpfun-bot”, was published under the GitHub user zldp2002 and quickly gained traction in the community. But instead of offering real functionality, the bot silently stole cryptocurrencies from users’ wallets and funneled the funds to a platform called FixedFloat.
SlowMist’s investigation revealed that the bot was built with Node.js and used a shady dependency named “crypto-layout-utils”, which isn’t listed in official NPM repositories. Once installed, this package silently scanned for private keys and wallet files on the user’s device and sent them to an attacker-controlled server, githubshadow.xyz.
The malware’s code was heavily obfuscated, making it difficult to detect. The attacker also forked the project multiple times using fake GitHub accounts, amplifying exposure. Some of these forks used an alternate malicious package, “bs58-encrypt-utils-1.0.3”.
The attack appears to have been active since June 12, 2025, and was only discovered after a victim contacted SlowMist a day after installing the project. Post-exploit on-chain analysis using SlowMist’s MistTrack tool confirmed the stolen funds were routed to FixedFloat.
SlowMist strongly cautioned against running GitHub-based open-source software that interacts with wallets or private keys unless done in a highly isolated environment. The firm recommends avoiding suspicious or unverified packages, especially in crypto bot frameworks and automation tools.
The case underscores the growing risk of social engineering and dependency hijacking in open-source crypto development — and the importance of verifying every component before execution.
WOO X, a popular cryptocurrency trading platform, has been hit by a serious security breach.
The first half of 2025 has already become the most damaging period in Web3 security history, according to Hacken’s newly released Half-Year Security Report.
The U.S. Department of Justice has officially ended its investigation into Kraken co-founder Jesse Powell, according to a Fortune report.
Indian crypto exchange CoinDCX has confirmed a $44 million security breach involving one of its internal liquidity accounts.