SlowMist discovers malicious code in GitHub’s 'Solana-pumpfun-bot'

Source Cryptopolitan

SlowMist has brought to light that the widely used open-source project “Solana-pumpfun-bot” on the GitHub platform has code that steals crypto from its users’ wallets. 

The investigation began on July 2, 2025. A victim contacted the SlowMist security team to seek assistance in analyzing the reasons for the theft of his wallet assets. 

The incident was caused by his use of an open-source project hosted on GitHub the day before, where the encrypted assets were stolen. SlowMist states that stolen funds are being transferred to the FixedFloat exchange.

The project author is the main suspect

To pull the attack off, the hacker pretended to be an official open-source project (solana-pumpfun-bot) to get people to download and run malicious code. A suspicious dependent package named “crypto-layout-utils” was found to have been removed from the official NPM source throughout the inquiry.

The hacker subsequently uploaded a malicious version of the software in place of the original download URL. It sent sensitive data to an attacker-controlled server after searching the victim’s PC for wallet-related files.

The investigation also found that the project author is suspected of controlling multiple GitHub accounts. They were used to fork malicious projects, distribute malicious programs, and artificially inflate the project’s popularity. Multiple fork projects with similar malicious behavior were identified, some of which used another malicious package, “bs58-encrypt-utils”.

The entire attack chain involves several GitHub accounts working together. This expanded the scope of dissemination, enhanced credibility, and is extremely deceptive. At the same time, this attack used both social engineering and technical means, and it is difficult to defend against it fully within an organization.

The malicious activity is believed to have started on June 12, 2025. This is when the attacker created the malicious package “bs58-encrypt-utils”. 

Crypto hacking hasn’t advanced much; they’ve become more cunning

According to Slowmist, crypto hacking techniques haven’t advanced much, but they’ve become far more cunning. SlowMist’s head of operations, Lisa, said in the firm’s Q2 MistTrack Stolen Fund Analysis report that although it didn’t see an advancement in hacking techniques, the scams have become more sophisticated. 

There is a rise in fake browser extensions, tampered hardware wallets, and social engineering attacks. “We’re seeing a clear shift from purely on-chain attacks to off-chain entry points — browser extensions, social media accounts, authentication flows, and user behavior are all becoming common attack surfaces,” said Lisa. 

Causes of theft in Q2 of 2025  | Source: SlowMist

For instance, attackers guide users to visit well-known, commonly used websites like Notion or Zoom. When the user attempts to download software from these official sites, the files delivered have already been maliciously replaced. 

Another way is when hackers send users a compromised cold wallet. They tell their victims they have won a free device under a “lottery draw” or tell them their existing device was compromised and they needed to transfer their assets. Even better, hackers have introduced fake websites. 

The final hit is usually manipulation. “Attackers know phrases like ‘risky signature detected’ can trigger panic, prompting users to take hasty actions. Once that emotional state is triggered, it’s much easier to manipulate them into doing things they normally wouldn’t — like clicking links or sharing sensitive information,” Lisa said.

Other attacks used hacking methods that took advantage of EIP-7702, which was added in the most recent version of Ethereum Pectra. Another attack took over the accounts of several WeChat users and targeted them. According to SlowMist, Ethereum led all ecosystems in security losses in the first half of 2025, with DeFi platforms losing around $470 million.

Cryptopolitan Academy: Coming Soon - A New Way to Earn Passive Income with DeFi in 2025. Learn More

Disclaimer: For information purposes only. Past performance is not indicative of future results.
placeholder
Natural Gas sinks to pivotal level as China’s demand slumpsNatural Gas price (XNG/USD) edges lower and sinks to $2.56 on Monday, extending its losing streak for the fifth day in a row. The move comes on the back of China cutting its Liquified Natural Gas (LNG) imports after prices rose above $3.0 in June. It
Author  FXStreet
Jul 01, 2024
Natural Gas price (XNG/USD) edges lower and sinks to $2.56 on Monday, extending its losing streak for the fifth day in a row. The move comes on the back of China cutting its Liquified Natural Gas (LNG) imports after prices rose above $3.0 in June. It
placeholder
Pinduoduo Earnings Incoming: Morgan Stanley Sees Long-Term Profit Potential​Insights – On November 21, Chinese e-commerce giant Pinduoduo (PDD) will release its Q3 2024 earnings.
Author  Mitrade
Nov 20, 2024
​Insights – On November 21, Chinese e-commerce giant Pinduoduo (PDD) will release its Q3 2024 earnings.
placeholder
Markets in 2026: Will gold, Bitcoin, and the U.S. dollar make history again? — These are how leading institutions thinkAfter a turbulent 2025, what lies ahead for commodities, forex, and cryptocurrency markets in 2026?
Author  Insights
Dec 25, 2025
After a turbulent 2025, what lies ahead for commodities, forex, and cryptocurrency markets in 2026?
placeholder
Gold Price Trend Forecast: June CPI Plus Fed Chair Congressional Testimony, Can Gold Price Hold Above $4,000?As of the Asian session on July 14, gold ( XAUUSD) prices consolidated around the $4,000 mark, briefly slipping below $4,000 intraday to hit a low of $3,983.23. Looking at the market acti
Author  TradingKey
Jul 14, Tue
As of the Asian session on July 14, gold ( XAUUSD) prices consolidated around the $4,000 mark, briefly slipping below $4,000 intraday to hit a low of $3,983.23. Looking at the market acti
placeholder
WTI rises as Trump's threats strikes on IranWest Texas Intermediate (WTI) oil price extends its gains for the third successive day, trading around $79.20 per barrel during the Asian hours on Wednesday. Crude oil prices have climbed following threats from US President Donald Trump regarding additional military strikes on Iran.
Author  FXStreet
Jul 15, Wed
West Texas Intermediate (WTI) oil price extends its gains for the third successive day, trading around $79.20 per barrel during the Asian hours on Wednesday. Crude oil prices have climbed following threats from US President Donald Trump regarding additional military strikes on Iran.
goTop
quote