|
Getting your Trinity Audio player ready...
|
Key Takeaways:
- Always verify GitHub repositories, even if they seem popular or highly starred.
- Avoid installing unverified or deprecated NPM packages, particularly from third-party mirrors.
- Stay updated on security reports from firms like SlowMist, which play a vital role in uncovering threats in the blockchain ecosystem.
A fake GitHub repository disguised as a Solana trading bot has been revealed to contain malware targeting crypto users. According to a report released Friday by blockchain security firm SlowMist, the fraudulent repository was used to harvest wallet credentials and private keys through deceptive open-source code.
GitHub Repository Masquerades as Legitimate Tool
The malicious repository, solana-pumpfun-bot, was hosted by a user account identified as “zldp2002.” Though recently deleted, the project had garnered an unusually high number of stars and forks—metrics often used by developers to judge credibility. SlowMist said the project mimicked a real Solana trading bot to mislead users.
All code commits were uploaded roughly three weeks prior to the breach, with the commit history showing inconsistencies that typically wouldn’t appear in a legitimate open-source initiative. The project was built using Node.js and depended on a suspicious third-party package, crypto-layout-utils, which had already been removed from the official NPM registry.
Obfuscated Malware Package Targets Wallet Credentials
Further analysis showed the malware was highly obfuscated using jsjiami.com.v7, a JavaScript obfuscator that complicates code review and detection. Once de-obfuscated, SlowMist found that the package scanned users’ local files. If it detected private keys or wallet-related data, it uploaded the information to a remote server controlled by the attacker.
The package had not been available on the official NPM registry, raising red flags. Instead, the attacker hosted the package on a separate GitHub repository, bypassing standard vetting and distribution channels.
A Broader Software Supply Chain Attack
SlowMist’s investigation revealed that this incident wasn’t isolated. The attacker is believed to control multiple GitHub accounts, using them to fork existing repositories and inject malicious code. This helped falsely inflate the credibility of the projects through stars and forks.
Also Read: DeFi Development Corp Stock Soars 2,733% YTD After $2.7M Solana Purchase
Several of these cloned repositories included another malicious package, bs58-encrypt-utils-1.0.3, created on June 12. SlowMist believes this marks the beginning of the broader campaign to distribute fake Node.js crypto tools and modules.
This GitHub malware incident serves as a stark reminder of the vulnerabilities within the software supply chain—especially in the crypto industry where open-source tools are widely trusted.
Disclaimer: The information in this article is for general purposes only and does not constitute financial advice. The author’s views are personal and may not reflect the views of Chain Affairs. Before making any investment decisions, you should always conduct your own research. Chain Affairs is not responsible for any financial losses.
I’m your translator between the financial Old World and the new frontier of crypto. After a career demystifying economics and markets, I enjoy elucidating crypto – from investment risks to earth-shaking potential. Let’s explore!
