In a recent cybersecurity revelation, SlowMist, a leading blockchain security firm, has uncovered a malicious code embedded within the widely used open-source project "Solana-pumpfun-bot" hosted on GitHub. The discovery highlights an emerging trend of sophisticated social engineering attacks targeting cryptocurrency users through seemingly legitimate development tools.
The investigation began on July 2, 2025, when a victim reached out to SlowMist after losing digital assets following the use of the open-source tool. According to the analysis, funds were rapidly transferred to FixedFloat, a cryptocurrency exchange service, indicating a well-coordinated theft operation.
How the Attack Was Executed
The attackers disguised their malicious software as an authentic version of solana-pumpfun-bot, a tool popular among developers for automating token launches on the Solana blockchain. Users who downloaded and executed the compromised version unknowingly granted access to their private keys and wallet data.
A critical component of the attack was a rogue dependency package named "crypto-layout-utils", which had been published to the official NPM registry but was later removed after detection. This package acted as a backdoor, scanning victims' systems for wallet-related files—such as Keystore JSONs or seed phrases—and exfiltrating them to attacker-controlled servers.
👉 Discover how secure crypto tools can protect your digital assets from hidden threats.
Further forensic analysis revealed that the threat actors uploaded a modified version of the software and replaced the original download link with a malicious one. This allowed them to maintain the appearance of legitimacy while distributing infected binaries.
Coordinated Campaign Using Fake Accounts
SlowMist’s researchers identified a network of multiple GitHub accounts linked to the same individual or group. These accounts were used to fork the original project, artificially inflate its popularity through stars and clones, and spread trust through coordinated activity.
Several of these forks incorporated another suspicious NPM package: "bs58-encrypt-utils", which shares behavioral patterns with the primary malware. This indicates a broader campaign rather than an isolated incident.
The entire attack chain demonstrates a high level of operational sophistication. By combining technical exploits with psychological manipulation, the attackers increased their success rate and avoided immediate detection.
Evidence suggests this malicious campaign began as early as June 12, 2025, when "bs58-encrypt-utils" was first published—marking the start of what appears to be a long-term infiltration strategy.
Evolving Tactics in Crypto Cybersecurity Threats
While core hacking techniques have not significantly advanced, threat actors are now relying more heavily on deception and user behavior manipulation. As Lisa, Operations Manager at SlowMist, noted in the Q2 2025 MistTrack被盗 funds report:
“We’re seeing a clear shift from purely on-chain attacks to off-chain entry points—browser extensions, social media accounts, authentication flows, and user psychology are now prime attack surfaces.”
This evolution underscores a growing vulnerability: even if blockchains remain secure, users remain the weakest link.
Rising Threats: Fake Extensions and Compromised Hardware Wallets
One common tactic involves redirecting users to trusted platforms like Notion or Zoom. Attackers compromise third-party download mirrors or inject malicious scripts into ad-based distribution channels. When users believe they’re downloading legitimate software, they instead install malware designed to harvest credentials.
Another alarming method involves sending victims a compromised hardware wallet under false pretenses—such as claiming the user won a free device or that their current wallet is compromised and must be replaced. Once the victim connects the device, it prompts them to input sensitive information directly into a phishing interface.
👉 Learn how to verify authentic crypto tools and avoid falling for fake giveaways.
Additionally, attackers create spoofed websites that mimic official project domains. These sites often trigger fake security alerts:
“Attackers know phrases like ‘risk signature detected’ trigger panic,” Lisa explained. “That emotional state leads users to make hasty decisions—clicking links, sharing keys, or authorizing transactions they wouldn’t normally approve.”
This psychological exploitation is becoming increasingly effective, especially among new participants in decentralized finance (DeFi).
Exploitation of New Protocol Features and Cross-Platform Attacks
Some attacks have begun leveraging newly introduced features in major blockchain upgrades. For instance, threat actors are experimenting with EIP-7702, a feature added in Ethereum’s Pectra upgrade, potentially enabling new attack vectors related to account abstraction and smart contract interactions.
In parallel, there have been reports of attackers compromising WeChat accounts to target Chinese-speaking crypto users. These social media takeovers allow for direct phishing attempts under the guise of trusted contacts or community groups.
According to SlowMist’s data, Ethereum led all ecosystems in total financial losses during H1 2025, with DeFi platforms accounting for approximately $470 million in stolen funds. This highlights the continued attractiveness of high-value liquidity pools despite increased auditing and monitoring efforts.
FAQ: Understanding the Solana-pumpfun-bot Threat
Q: What is Solana-pumpfun-bot?
A: It’s an open-source automation tool designed to help developers launch and promote tokens on the Solana blockchain. However, a malicious version has been distributed containing code that steals wallet information.
Q: How can I tell if I’ve downloaded the malicious version?
A: Check your installed dependencies for packages like crypto-layout-utils or bs58-encrypt-utils. If present, assume compromise and immediately revoke access permissions and transfer funds to a new wallet.
Q: Are all GitHub projects unsafe now?
A: No—but caution is essential. Always verify repository authenticity, check contributor history, review code manually, and avoid running untrusted scripts directly on machines containing wallets.
Q: Can antivirus software detect this type of threat?
A: Not always. Many crypto-specific malware variants are lightweight and fileless, evading traditional detection methods. Specialized blockchain security tools offer better protection.
Q: How do I protect myself from similar attacks?
A: Use air-gapped machines for signing transactions, enable multi-signature wallets, avoid downloading tools from unofficial sources, and stay informed about known threats via trusted security firms.
Q: Is the original Solana-pumpfun-bot project still safe?
A: The legitimate version may still exist, but users should only download from verified maintainers and cross-check hashes or signatures if available.
Core Keywords Integrated:
- Solana-pumpfun-bot
- GitHub security
- crypto theft
- wallet exploit
- SlowMist report
- NPM dependency attack
- DeFi security
- EIP-7702
👉 Stay ahead of emerging threats with real-time security insights and proactive defense strategies.
As the line between legitimate development tools and malicious software blurs, user vigilance becomes paramount. The fusion of technical exploits and psychological manipulation marks a new era in crypto crime—one where awareness and education are just as critical as encryption and code audits.