Solana User Assets Stolen: Open Source Project Hides Malicious Code

In early July 2025, a user found that their crypto assets were stolen after using an Open Source project on GitHub and immediately sought help from the security team. After investigation, it was discovered that this was a meticulously planned attack involving disguised Open Source projects and malicious NPM packages.

Investigators first visited the GitHub repository of the project in question. Although the project has a high number of Stars and Forks, its code commits are concentrated around three weeks ago, lacking the characteristics of continuous updates, which raised suspicions among the investigators.

Further analysis reveals that the project relies on a third-party package called crypto-layout-utils. This package has been removed from the official NPM registry, and the version specified in package.json does not exist in the official NPM history.

Key clues appeared in the package-lock.json file: the attacker replaced the download link for crypto-layout-utils with an address from GitHub. After downloading and analyzing this suspicious dependency package, investigators found that it contained highly obfuscated malicious code.

After deconfusion confirmation, this NPM package will scan files on the user's computer for wallet or private key related content, and once found, it will upload it to a server controlled by the attacker.

The investigation also found that the attackers may have controlled multiple GitHub accounts to replicate malicious projects and enhance their credibility. Some related projects utilized another malicious package bs58-encrypt-utils-1.0.3, which started being distributed from June 12, 2025.

Through on-chain analysis tools, it was discovered that an attacker address transferred the stolen funds to a cryptocurrency exchange.

Overall, the attack disguised itself as a legitimate Open Source project, luring users into downloading and running software containing malicious code. The attackers also increased the project's credibility by artificially inflating its popularity, leading users to run projects with malicious dependencies without any defenses, resulting in private key leakage and asset theft.

This type of attack combines social engineering and technical means, making it difficult to fully defend against even within an organization. Developers and users are advised to remain highly vigilant about unknown GitHub projects, especially those involving wallet or private key operations. If debugging is necessary, it is best to do so in an isolated environment that does not contain sensitive data.

Involved Projects and Malicious Package Information

Multiple GitHub repositories have been found to participate in the dissemination of malicious code, including but not limited to:

• 2723799947qq2022/solana-pumpfun-bot
• 2kwkkk/solana-pumpfun-bot
• 790659193qqch/solana-pumpfun-bot
• 7arlystar/solana-pumpfun-bot
• 918715c83/solana-pumpfun-bot

Malicious NPM Package:

• crypto-layout-utils
• bs58-encrypt-utils

Attacker-controlled server domain name:

• githubshadow.xyz