Cryptocurrency Wallet Malware Steals Funds Via GitHub Project

A new virus has been detected that targets cryptocurrency wallets, draining funds from unsuspecting users. The culprit software, an open-source project named “solana-pumpfun-bot,” was published on GitHub and quickly gained attention within the community. However, it was later revealed to contain a fraudulent scheme designed to steal cryptocurrencies from user wallets.

The incident was brought to light on July 2, 2025, when a victimized user reached out to the cybersecurity firm SlowMist. The user reported that their cryptocurrencies were stolen after they began using the “zldp2002/solana-pumpfun-bot” project on GitHub the previous day. SlowMist’s post-incident analysis uncovered that the project was built on Node.js and relied on a suspicious third-party package called “crypto-layout-utils.” This package, which is not listed in NPM’s official records and has since been removed from the platform, was found to contain malicious code.

The downloaded “crypto-layout-utils-1.3.1” package included complex and obfuscated codes that scanned the user’s computer for files containing wallets and private keys. This sensitive data was then sent to a server controlled by the attacker, identified as “githubshadow.xyz.” The analysis also revealed that the GitHub user (zldp2002), allegedly the developer of the project, controlled a large number of fake accounts. These accounts were used to fork the project and reach a broader audience, with some forks utilizing a different malicious NPM package, “bs58-encrypt-utils-1.0.3.”

SlowMist’s investigation, aided by an on-chain analysis tool called MistTrack, traced the attackers’ activities. It was discovered that the malware attack had been active since June 12, 2025, and that some of the stolen cryptocurrencies were transferred to the FixedFloat platform. The firm emphasized the importance of exercising extreme caution when downloading software from open-source platforms like GitHub, especially for projects involving private keys or wallet operations. In cases where such projects are necessary, SlowMist recommended running them on an isolated machine that does not contain sensitive data.