- A seemingly safe GitHub bot secretly harvested private keys and drained user wallets.
- Forks and stars were manipulated to make the malicious project appear trustworthy.
- Obfuscated code quietly sent sensitive data to a hidden server without users noticing.
A fake GitHub project disguised as a Solana trading bot has reportedly stolen crypto assets from unsuspecting users. The repository, titled solana-pumpfun-bot and hosted under the account zldp2002, mimicked a real utility but secretly harvested wallet credentials.
According to cybersecurity firm SlowMist, a victim contacted the team after losing crypto funds. After analyzing the code, analysts realized that it contained malicious code that was aimed at sending the users’ private keys to an external server under the hacker’s control.
In addition to its apparent legitimacy, the repository indicated attributes of forced popularity. It also had more than 400 forks and hundreds of stars, which gave the idea that it was a tool that was trusted and was used very much. These signs deceived most users into downloading the bot and executing it without even examining the source code.
Also Read: 500 Million XRP to Unknown Wallet? – Here’s What Really Happened
Significantly, SlowMist researchers identified obfuscated JavaScript that performed background operations on private keys. It applied the crypto.createHash to encrypt the keys and submitted them through HTTPS requests to githubshadow.xyz.
This communication was formed in a form that appeared normal when the API communicated, and so it was less likely to attract suspicion.
Also, the package dependencies raised more concerns as crypto-layout-utils was not loaded from the official npm registry but instead from an uploaded copy on GitHub under the address of a separate user account.
This enabled the hacker to program in his code, which the package integrity checks would not have prevented.
Fake Popularity Tricked Developers into Running Dangerous Code
Beyond the technical aspects, the project’s public metrics were manipulated to attract developers. Forks and stars were likely generated by bots or fake accounts, giving it the appearance of a reputable project in the open-source community.
Moreover, the repository’s orderly organization, active commit history, and well-presented documentation provided users with illusory confidence. Consequently, several people unwittingly deployed the tool in environments with live crypto wallets.
As a result, SlowMist reiterated that one should not rely on any metric/appearance displayed on the public repositories. When testing crypto tools, the user should continually perform manual code audits and isolate any third-party scripts.
The discovery of this wallet-stealing GitHub bot underscores growing risks in open-source crypto development. Experts now urge users to verify all tools independently before connecting wallets or executing transactions.
Also Read: Robert Kiyosaki Warns Dollar Is Dying, Predicts Bitcoin Will Hit $1 Million
