A GitHub page pretending to be a real Solana trading bot was found to be hiding malware that steals crypto. The page was created by a user named “zldp2002” and looked like a real open-source tool. But when users ran it, their crypto got stolen.
The problem came to light after someone lost their funds. Blockchain security firm SlowMist looked into it and found the bot used strange coding patterns and had many fake stars and forks on GitHub to look trustworthy. For further context, all the code was uploaded around three weeks ago.
SlowMist found that the trading bot was built using Node.js and included a package named crypto-layout-utils. This package was already removed from the official Node.js (NPM) registry. Instead of using the official source, the attacker had users download it from a different GitHub page. This raised further suspicion.
When SlowMist experts scanned the package, they detected that it was highly obfuscated (made difficult on purpose) via a jsjiami.com webpage. Upon decoding, they discovered that the package scanned users’ local files. If it detected any wallet-related information or private keys, it would silently send the information to a remote server operated by the attacker.
The analysis also indicated that this was not the only malicious project. The hacker probably had multiple GitHub accounts for publishing similar spoofed projects. These projects were copied (forked) from actual ones and slightly modified to contain malware. Some used another malicious package named bs58-encrypt-utils-1.0.3, which was first introduced on June 12.
This case is part of a larger wave of cyberattacks on crypto users. Recently, hackers also targeted Firefox users with fake wallet extensions and used GitHub to spread harmful code.
