Cybersecurity company Slow Mist revealed that an open source project called “Solana-Pumpun-bot,” which was published on GitHub and attracted attention in the community, includes a scam scheme targeting user wallets. According to the company, cryptocurrency in the wallets of users running the project was stolen, and some funds were transferred to a platform called FixedFloat.
The incident became clear when a victim user contacted the Slow Mist team on July 2, 2025. According to a user’s statement, the cryptocurrency in his wallet was stolen after he began using the “ZLDP2002/solana-puppun-bot” project the day before.
A post-inquency analysis of Slowmist found that the project is based on node.js and relies on a suspicious third-party package called “Crypto-layout-utils”. This package is not listed in the official NPM records and has been removed from the platform. Investigations revealed that a malicious developer manipulated a link in the Package-lock.json file to instruct users to install malicious software.
Slowmist experts explained that the downloaded “Crypto-Layout-Utils-1.3.1” package contains complex and obfuscated code, and after analysis, these code scanned the user’s computer for a file containing the wallet and private key, and sent this data to a server belonging to the attacker named “Githubshadow.xyz”.
Furthermore, the analysis reported that GitHub users (ZLDP2002), who are said to be the developers of the project in question, aim to manage many fake accounts and reach more users by forking projects through these accounts. Some forks used a different malicious NPM package, “BS58-Encrypt-Utils-1.0.3.”
After the incident, SlowMist used an on-chain analysis tool called MistTrack to track down the attacker and discovered that the attacker had transferred some of the stolen cryptocurrency to the FixedFloat platform. The malware attack is believed to have been active since June 12, 2025.
Slowmist said users should be very careful about software downloaded from open source platforms such as GitHub, especially projects that include private keys and wallet operations. Inevitably, such projects were recommended to run on orphaned machines that did not contain sensitive data.
*This is not investment advice.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
