A newly uncovered scam involving a fake Solana trading bot on GitHub has resulted in stolen cryptocurrency funds, according to a report by blockchain security firm SlowMist. The fraudulent repository, named solana-pumpfun-bot and hosted by the GitHub account “zldp2002,” disguised itself as a legitimate open-source Solana trading tool while secretly delivering malware.

The scam came to light after a user reported their crypto funds had vanished shortly after interacting with the code. This triggered SlowMist’s investigation, which revealed that the repository had a “relatively high number of stars and forks.”

Obscured Malware Hidden in Node.js Package

The malicious bot was built using Node.js and included a suspicious third-party dependency called crypto-layout-utils. Investigators discovered that this package had already been removed from the official NPM (Node Package Manager) registry, raising immediate red flags. However, instead of retrieving it through legitimate channels, the malware downloaded the package from a separate GitHub repository under the attacker’s control.

SlowMist analysts noted that the package was heavily obfuscated using jsjiami.com.v7, a tool designed to make JavaScript code harder to read and analyse. Once decrypted, the researchers found that the malware scanned local files for sensitive wallet data and private keys. Any discovered credentials were uploaded to a remote server, resulting in the theft of crypto assets.

A Larger Network of Malicious Repositories

Further analysis by SlowMist suggests that the incident was not isolated. The attacker appears to control a network of GitHub accounts, used to fork popular projects and inject malicious code into them. These cloned repositories also showed unusually high star and fork counts, artificially boosted to lure unsuspecting users.

Some versions of the repositories included another malware-laden package called bs58-encrypt-utils-1.0.3, created on 12 June 2025. This date marks what researchers believe to be the beginning of a coordinated campaign distributing tainted NPM modules and Node.js-based malware through GitHub.

SlowMist’s report indicates that these repositories followed similar structural patterns, often lacking the consistency expected of genuine open-source projects. The lack of standard development practices, including proper versioning and commit messages, helped confirm the repositories’ fraudulent nature.

Supply Chain Attacks on the Rise in Crypto Space

This incident is part of a growing wave of software supply chain attacks aimed at the crypto community. Attackers are increasingly exploiting platforms like GitHub and browser extensions to insert credential-stealing code into seemingly legitimate tools and applications.

In recent weeks, fake wallet extensions for browsers such as Firefox have surfaced, similarly designed to trick users into compromising their wallets. These scams are becoming more sophisticated, often using real branding, cloned project histories, and inflated reputation metrics to appear trustworthy.

Staying Safe: What Users Should Do

Crypto users are urged to exercise extreme caution when downloading software from public repositories. Always verify the source, check for inconsistencies in commit history, avoid unverified packages, and run code in isolated environments before using with any real wallet data.

The SlowMist team recommends monitoring the community and cross-checking any new crypto tools with official documentation or known developers. As the software supply chain continues to be a weak point, vigilance is key to protecting digital assets in an increasingly hostile cyber environment.