Author: Thinking
Editor: Liz
Background Overview
On July 2, 2025, a victim contacted the Slow Fog security team for assistance in analyzing the reason for the theft of their wallet assets. The incident originated from their use of an open-source project hosted on GitHub – zldp2002/solana-pumpfun-bot, after which their crypto assets were stolen.
Analysis Process
We immediately began investigating the incident. First, visit the project's GitHub repository: https://github.com/zldp2002/solana-pumpfun-bot, where we can see that its number of Stars and Forks is relatively high, but the code submission dates in each directory are concentrated around three weeks ago, showing a clear anomaly and lacking the continuous update trajectory that a normal project should have.
This is a Node.js based project. We first analyzed its dependencies and found that it referenced a third-party package called crypto-layout-utils.
Further verification found that this dependency package has been removed from the official NPM, and the version specified in package.json does not appear in the official NPM history. We initially judged this package to be a suspicious component and it can no longer be downloaded from the official NPM source. So, how did the victim obtain this malicious dependency?
Continuing to delve into the project, we found key clues in the package-lock.json file: the attacker replaced the download link of crypto-layout-utils with: https://github.com/sjaduwhv/testing-dev-log/releases/download/1.3.1/crypto-layout-utils-1.3.1.tgz.
We downloaded this suspicious dependency package: crypto-layout-utils-1.3.1 and found that it was highly obfuscated code using jsjiami.com.v7, which increased the difficulty of analysis.
After deobfuscation, we confirmed that this is a malicious NPM package, and the attacker implemented logic in crypto-layout-utils-1.3.1 to scan the victim's computer files. If it finds any wallet or private key related content or files, it uploads them to the attacker's controlled server (githubshadow.xyz).
Malicious NPM package scanning sensitive files and directories:
Malicious NPM package uploads content or files containing private keys:
We continued to explore the attack methods, and the project author (https://github.com/zldp2002/) is suspected of controlling a batch of GitHub accounts to Fork malicious projects and distribute malicious programs, while also inflating the Fork and Star counts of the project to attract more user attention, in order to expand the distribution range of the malicious programs.
We also identified several Fork projects that exhibited similar malicious behaviors, some of which used another malicious package bs58-encrypt-utils-1.0.3.
This malicious package was created on June 12, 2025, suggesting that the attacker had already begun distributing malicious NPM and malicious Node.js projects by that time. However, after NPM removed bs58-encrypt-utils, the attacker switched to distributing by replacing the NPM package download link.
Moreover, our analysis using the on-chain anti-money laundering and tracking tool MistTrack revealed that one of the attacker's addresses transferred stolen coins to the trading platform FixedFloat.
Summary
In this attack incident, the attacker disguised as a legitimate open-source project (solana-pumpfun-bot) to lure users into downloading and running malicious code. Under the guise of boosting the project's popularity, users unwittingly ran a Node.js project containing malicious dependencies, leading to wallet private key leaks and asset theft.
The entire attack chain involves multiple GitHub accounts working in coordination, expanding the spread and enhancing credibility, making it highly deceptive. At the same time, this type of attack is difficult to completely defend against internally through both social engineering and technical means.
We advise developers and users to be highly vigilant about unknown GitHub projects, especially when it involves wallet or private key operations. If debugging is necessary, it is recommended to run and debug in an isolated machine environment without sensitive data.
Information related to malicious dependency packages
Malicious Node.js project GitHub repository:
2723799947qq2022/solana-pumpfun-bot
2kwkkk/solana-pumpfun-bot
790659193qqch/solana-pumpfun-bot
7arlystar/solana-pumpfun-bot
918715c83/solana-pumpfun-bot
AmirhBeigi7zch6f/solana-pumpfun-bot
asmaamohamed0264/solana-pumpfun-bot
bog-us/solana-pumpfun-bot
edparker89/solana-pumpfun-bot
ii4272/solana-pumpfun-bot
ijtye/solana-pumpfun-bot
iwanjunaids/solana-pumpfun-bot
janmalece/solana-pumpfun-bot
kay2x4/solana-pumpfun-bot
lan666as2dfur/solana-pumpfun-bot
loveccat/solana-pumpfun-bot
lukgria/solana-pumpfun-bot
mdemetrial26rvk9w/solana-pumpfun-bot
oumengwas/solana-pumpfun-bot
pangxingwaxg/solana-pumpfun-bot
Rain-Rave5/solana-pumpfun-bot
wc64561673347375/solana-pumpfun-bot
wj6942/solana-pumpfun-bot
xnaotutu77765/solana-pumpfun-bot
yvagSirKt/solana-pumpfun-bot
VictorVelea/solana-copy-bot
Morning-Star213/Solana-pumpfun-bot
warp-zara/solana-trading-bot
harshith-eth/quant-bot
Malicious NPM package:
crypto-layout-utils
bs58-encrypt-utils
Malicious NPM package download link:
https://github.com/sjaduwhv/testing-dev-log/releases/download/1.3.1/crypto-layout-utils-1.3.1.tgz
Malicious NPM package uploads data server:
githubshadow.xyz