SlowMist discovers malicious code in GitHub’s ‘Solana-pumpfun-bot’

SlowMist has brought to light that the widely used open-source project “Solana-pumpfun-bot” on the GitHub platform has code that steals crypto from its users’ wallets.

The investigation began on July 2, 2025. A victim contacted the SlowMist security team to seek assistance in analyzing the reasons for the theft of his wallet assets.

The incident was caused by his use of an open-source project hosted on GitHub the day before, where the encrypted assets were stolen. SlowMist states that stolen funds are being transferred to the FixedFloat exchange.

The project author is the main suspect

To pull the attack off, the hacker pretended to be an official open-source project (solana-pumpfun-bot) to get people to download and run malicious code. A suspicious dependent package named “crypto-layout-utils” was found to have been removed from the official NPM source throughout the inquiry.

The hacker subsequently uploaded a malicious version of the software in place of the original download URL. It sent sensitive data to an attacker-controlled server after searching the victim’s PC for wallet-related files.

The investigation also found that the project author is suspected of controlling multiple GitHub accounts. They were used to fork malicious projects, distribute malicious programs, and artificially inflate the project’s popularity. Multiple fork projects with similar malicious behavior were identified, some of which used another malicious package, “bs58-encrypt-utils”.

The entire attack chain involves several GitHub accounts working together. This expanded the scope of dissemination, enhanced credibility, and is extremely deceptive. At the same time, this attack used both social engineering and technical means, and it is difficult to defend against it fully within an organization.

The malicious activity is believed to have started on June 12, 2025. This is when the attacker created the malicious package “bs58-encrypt-utils”.

Crypto hacking hasn’t advanced much; they’ve become more cunning

According to Slowmist, crypto hacking techniques haven’t advanced much, but they’ve become far more cunning. SlowMist’s head of operations, Lisa, said in the firm’s Q2 MistTrack Stolen Fund Analysis report that although it didn’t see an advancement in hacking techniques, the scams have become more sophisticated.

There is a rise in fake browser extensions, tampered hardware wallets, and social engineering attacks. “We’re seeing a clear shift from purely on-chain attacks to off-chain entry points — browser extensions, social media accounts, authentication flows, and user behavior are all becoming common attack surfaces,” said Lisa.

Causes of theft in Q2 of 2025 | Source: SlowMist

For instance, attackers guide users to visit well-known, commonly used websites like Notion or Zoom. When the user attempts to download software from these official sites, the files delivered have already been maliciously replaced.

Another way is when hackers send users a compromised cold wallet. They tell their victims they have won a free device under a “lottery draw” or tell them their existing device was compromised and they needed to transfer their assets. Even better, hackers have introduced fake websites.

The final hit is usually manipulation. “Attackers know phrases like ‘risky signature detected’ can trigger panic, prompting users to take hasty actions. Once that emotional state is triggered, it’s much easier to manipulate them into doing things they normally wouldn’t — like clicking links or sharing sensitive information,” Lisa said.

Other attacks used hacking methods that took advantage of EIP-7702, which was added in the most recent version of Ethereum Pectra. Another attack took over the accounts of several WeChat users and targeted them. According to SlowMist, Ethereum led all ecosystems in security losses in the first half of 2025, with DeFi platforms losing around $470 million.

Source