A fake GitHub repository posing as a Solana trading bot was used to distribute obscured malware that stole crypto wallet credentials, according to cybersecurity firm SlowMist.
A GitHub repository posing as a legitimate Solana trading bot has been exposed for reportedly hiding crypto-stealing malware.
According to a Friday report by blockchain security firm SlowMist, the now-deleted solana-pumpfun-bot repository hosted by account “zldp2002” mimicked a real open-source tool to harvest user credentials. SlowMist reportedly launched the investigation after a user found that their funds had been stolen on Thursday.
The malicious GitHub repository in question featured “a relatively high number of stars and forks,” SlowMist said. All code commits across all its directories were made about three weeks ago, with apparent irregularities and a lack of consistent pattern that, according to SlowMist, would indicate a legitimate project.
The project is Node.js-based and leverages the third-party package crypto-layout-utils as a dependency. “Upon further inspection, we found that this package had already been removed from the official NPM registry,” SlowMist said.
A suspicious NPM package
The package could no longer be downloaded from the official node package manager (NPM) registry, prompting investigators to question how the victim had downloaded the package. Investigating further, SlowMist discovered that the attacker was downloading the library from a separate GitHub repository.
After analyzing the package, SlowMist researchers found it to be heavily obfuscated using jsjiami.com.v7, making analysis harder. After de-obfuscation, investigators confirmed that it was a malicious package that scans local files, and if it detects wallet-related content or private keys, it would upload them to a remote server.
More than a single repository
Further investigation by SlowMist revealed that the attacker likely controlled a batch of GitHub accounts. These accounts were used to fork projects into malicious variations, distributing malware while artificially inflating fork and star counts.
Multiple forked repositories exhibited similar features, with some versions incorporating another malicious package, bs58-encrypt-utils-1.0.3. This package was created on June 12, which is when SlowMist researchers said they believed the attacker began distributing malicious NPM modules and Node.js projects.
The incident is the latest in a string of software supply chain attacks targeting crypto users. In recent weeks, similar schemes have targeted Firefox users with fake wallet extensions and used GitHub repositories to host credential-stealing code.
Source: https://cointelegraph.com/
 
					
 
			 
			 
			