Beware! Solana Trading Bot on GitHub Scams Users of Their Crypto

Trading bots are increasingly becoming responsible for the loss of user funds. Recently, the Solana bot on GitHub, the world’s largest code-hosting platform, scammed users of their crypto.

According to a recent report by blockchain security firm SlowMist, the issue stemmed from the user interacting with the GitHub zldp2002/solana-pumpfun-bot, an open-source project. Within hours of usage, the bot wiped out users’ crypto funds.

SlowMist Investigates Deceptive GitHub Scheme

Following the incident, on July 2, the victim contacted SlowMist, hoping their team could uncover how their wallet had been drained of assets. Meanwhile, this is not entirely new to the crypto space.

In response, SlowMist promptly launched an investigation into the incident. The blockchain security firm revealed that, despite high engagement via stars and forks, the entire codebase could be traced back to a single timeframe. The project also exhibited suspicious gaps in development and lacked the regular update flow typically found in legitimate codebases. 

Notably, the attackers used multiple GitHub profiles together. This helped them reach a wider audience and appear more trustworthy, making the entire setup especially sneaky. According to the report, the attack combined elements of social engineering with technical exploitation. This presents significant challenges to mitigation, even for organizations with tight security frameworks.

Furthermore, SlowMist discovered that the bad actors included a third-party module identified as crypto-layout-utils. Further investigation revealed that the attacker removed the module from the official NPM registry.

“Our initial judgment was that this was a suspicious component, and it could no longer be downloaded via the official NPM registry. This raised the question: how did the victim obtain this malicious dependency?” the security firm wrote.

Attacker Exploited Local Files to Extract Private Keys

Continuing the investigation, the security firm located a critical clue in the package file. This indicated that the attacker had replaced the NPM source link with an alternative. Following de-obfuscation, the security platform verified that the package was malicious. Version crypto-layout-utils-1.3.1 contained code designed to search local files for wallet data or private keys. Upon detection, the information was transmitted to an attacker-controlled server.

While the package was created on June 12 this year, SlowMist believes that the attacker started distributing malicious NPM modules and Node.js projects. Meanwhile, MistTrack analysis showed that one of the attacker’s addresses sent stolen crypto to FixedFloat.

The post Beware! Solana Trading Bot on GitHub Scams Users of Their Crypto appeared first on Cointab.