Solana PumpFun Bot Turns Out to Be Malware in Disguise

A malicious open-source project on GitHub disguised as a Solana trading bot has compromised user wallets, according to a July 2, 2025, report by cybersecurity firm SlowMist.

The project, called “solana-pumpfun-bot”, was published under the GitHub user zldp2002 and quickly gained traction in the community. But instead of offering real functionality, the bot silently stole cryptocurrencies from users’ wallets and funneled the funds to a platform called FixedFloat.

Fake Package, Real Damage

SlowMist’s investigation revealed that the bot was built with Node.js and used a shady dependency named “crypto-layout-utils”, which isn’t listed in official NPM repositories. Once installed, this package silently scanned for private keys and wallet files on the user’s device and sent them to an attacker-controlled server, githubshadow.xyz.

The malware’s code was heavily obfuscated, making it difficult to detect. The attacker also forked the project multiple times using fake GitHub accounts, amplifying exposure. Some of these forks used an alternate malicious package, “bs58-encrypt-utils-1.0.3”.

Attack Active Since Mid-June

The attack appears to have been active since June 12, 2025, and was only discovered after a victim contacted SlowMist a day after installing the project. Post-exploit on-chain analysis using SlowMist’s MistTrack tool confirmed the stolen funds were routed to FixedFloat.

Read More:

Expert Warning

SlowMist strongly cautioned against running GitHub-based open-source software that interacts with wallets or private keys unless done in a highly isolated environment. The firm recommends avoiding suspicious or unverified packages, especially in crypto bot frameworks and automation tools.

The case underscores the growing risk of social engineering and dependency hijacking in open-source crypto development — and the importance of verifying every component before execution.