Beware: Solana PumpFun Bot Is Actually Malware in Sheep’s Clothing
Another day, another crypto scam—this time with a Solana twist.
Malware masquerading as a trading tool
Hackers are now weaponizing FOMO, disguising malware as a PumpFun trading bot targeting Solana users. No fancy promises of 100x returns—just a quick siphon of your wallet.How it works (or doesn’t)
The ‘bot’ claims to automate meme coin pumps but instead installs credential-stealing payloads. Classic bait-and-switch—Wall Street would be proud.Stay sharp out there. In crypto, if it looks too good to be true, it’s probably draining your wallet.
Fake Package, Real Damage
SlowMist’s investigation revealed that the bot was built with Node.js and used a shady dependency named “crypto-layout-utils”, which isn’t listed in official NPM repositories. Once installed, this package silently scanned for private keys and wallet files on the user’s device and sent them to an attacker-controlled server, githubshadow.xyz.
The malware’s code was heavily obfuscated, making it difficult to detect. The attacker also forked the project multiple times using fake GitHub accounts, amplifying exposure. Some of these forks used an alternate malicious package, “bs58-encrypt-utils-1.0.3”.
Attack Active Since Mid-June
The attack appears to have been active since June 12, 2025, and was only discovered after a victim contacted SlowMist a day after installing the project. Post-exploit on-chain analysis using SlowMist’s MistTrack tool confirmed the stolen funds were routed to FixedFloat.
READ MORE:
Expert Warning
SlowMist strongly cautioned against running GitHub-based open-source software that interacts with wallets or private keys unless done in a highly isolated environment. The firm recommends avoiding suspicious or unverified packages, especially in crypto bot frameworks and automation tools.
The case underscores the growing risk of social engineering and dependency hijacking in open-source crypto development — and the importance of verifying every component before execution.
