Malicious NPM package steals private keys, Solana user assets are stolen

Author: Thinking

Editor: Liz

Background Overview

On July 2, 2025, a victim contacted the SlowMist security team to seek assistance in analyzing the reasons for the theft of his wallet assets. The incident was caused by his use of an open source project hosted on GitHub the day before - zldp2002/solana-pumpfun-bot, and then the encrypted assets were stolen.

Analysis process

We immediately started investigating the incident. We first visited the project's GitHub repository: https://github.com/zldp2002/solana-pumpfun-bot, where we can see that its number of stars and forks is relatively high, but the code submission time under each directory is concentrated in the past three weeks, which is obviously abnormal and lacks the continuous update track that a normal project should have.

This is a Node.js-based project. We first analyzed its dependent packages and found that it referenced a third-party package called crypto-layout-utils.

Further verification revealed that the dependency package had been officially removed from NPM, and the version specified in package.json did not appear in the official NPM history. We initially determined that the package was a suspicious component and could no longer be downloaded from the official NPM source. So, how did the victim obtain this malicious dependency?

Continuing to dig deeper into the project, we found a key clue in the package-lock.json file: the attacker replaced the download link of crypto-layout-utils with: https://github.com/sjaduwhv/testing-dev-log/releases/download/1.3.1/crypto-layout-utils-1.3.1.tgz.

We downloaded this suspicious dependency package: crypto-layout-utils-1.3.1, and found that it was a highly obfuscated code using jsjiami.com.v7, which increased the difficulty of analysis.

After deobfuscation, we confirmed that this is a malicious NPM package. The attacker implemented the logic of scanning the victim's computer files in crypto-layout-utils-1.3.1. If any content or files related to wallets or private keys are found, they will be uploaded to the server controlled by the attacker (githubshadow.xyz).

Malicious NPM package scans for sensitive files and directories:

Malicious NPM packages upload content or files containing private keys:

We continue to explore the attack methods. The project author (https://github.com/zldp2002/) is suspected to control a number of GitHub accounts, which are used to fork malicious projects and distribute malicious programs. At the same time, the number of Forks and Stars of the project is increased to attract more users to pay attention, so as to expand the distribution range of malicious programs.

We also identified multiple Fork projects with similar malicious behavior, some of which used another malicious package bs58-encrypt-utils-1.0.3.

The malicious package was created on June 12, 2025. It is speculated that the attacker had already started distributing malicious NPM and malicious Node.js projects at this time. However, after NPM removed bs58-encrypt-utils, the attacker replaced the NPM package download link for distribution.

In addition, we used the on-chain anti-money laundering and tracking tool MistTrack to analyze and found that after one of the attacker addresses stole coins, it transferred the funds to the trading platform FixedFloat.

Summarize

In this attack, the attacker disguised himself as a legitimate open source project (solana-pumpfun-bot) to trick users into downloading and running malicious code. Under the cover of boosting the popularity of the project, users ran the Node.js project with malicious dependencies without any warning, resulting in the leakage of wallet private keys and the theft of assets.

The entire attack chain involves multiple GitHub accounts working together, which expands the scope of dissemination, enhances credibility, and is extremely deceptive. At the same time, this type of attack uses both social engineering and technical means, and it is difficult to fully defend against it within an organization.

We recommend that developers and users be highly vigilant about unknown GitHub projects, especially when it comes to wallet or private key operations. If you really need to run and debug, it is recommended to run and debug in an independent machine environment without sensitive data.

Information about malicious dependency packages

GitHub repository of the malicious Node.js project:

2723799947qq2022/solana-pumpfun-bot

2kwkkk/solana-pumpfun-bot

790659193qqch/solana-pumpfun-bot

7arlystar/solana-pumpfun-bot

918715c83/solana-pumpfun-bot

AmirhBeigi7zch6f/solana-pumpfun-bot

asmaamohamed0264/solana-pumpfun-bot

bog-us/solana-pumpfun-bot

edparker89/solana-pumpfun-bot

ii4272/solana-pumpfun-bot

ijtye/solana-pumpfun-bot

iwanjunaids/solana-pumpfun-bot

janmalece/solana-pumpfun-bot

kay2x4/solana-pumpfun-bot

lan666as2dfur/solana-pumpfun-bot

loveccat/solana-pumpfun-bot

lukgria/solana-pumpfun-bot

mdemetrial26rvk9w/solana-pumpfun-bot

oumengwas/solana-pumpfun-bot

pangxingwaxg/solana-pumpfun-bot

Rain-Rave5/solana-pumpfun-bot

wc64561673347375/solana-pumpfun-bot

wj6942/solana-pumpfun-bot

xnaotutu77765/solana-pumpfun-bot

yvagSirKt/solana-pumpfun-bot

VictorVelea/solana-copy-bot

Morning-Star213/Solana-pumpfun-bot

warp-zara/solana-trading-bot

harshith-eth/quant-bot

Malicious NPM package:

crypto-layout-utils

bs58-encrypt-utils

Malicious NPM package download link:

The server where the malicious NPM package uploads data:

githubshadow.xyz