🚨 SlowMist Exposes Malicious Code in GitHub’s ’Solana-pumpfun-bot’ – Crypto Devs Beware!

Security researchers at SlowMist have uncovered a hidden threat lurking in a popular Solana trading bot—proving once again that 'free alpha' often comes with a side of malware.

The so-called 'pumpfun-bot,' hosted on GitHub, contained malicious code designed to compromise users' wallets. No exact victim count was disclosed, but the discovery sent shockwaves through Solana's dev community.

While DeFi degens chase the next 100x, security firms like SlowMist do the actual work of keeping crypto ecosystems from imploding. Remember: if a bot promises easy gains, your private keys are probably part of the exit strategy.

The project author is the main suspect

To pull the attack off, the hacker pretended to be an official open-source project (solana-pumpfun-bot) to get people to download and run malicious code. A suspicious dependent package named “crypto-layout-utils” was found to have been removed from the official NPM source throughout the inquiry.

The hacker subsequently uploaded a malicious version of the software in place of the original download URL. It sent sensitive data to an attacker-controlled server after searching the victim’s PC for wallet-related files.

The investigation also found that the project author is suspected of controlling multiple GitHub accounts. They were used to fork malicious projects, distribute malicious programs, and artificially inflate the project’s popularity. Multiple fork projects with similar malicious behavior were identified, some of which used another malicious package, “bs58-encrypt-utils”.

The entire attack chain involves several GitHub accounts working together. This expanded the scope of dissemination, enhanced credibility, and is extremely deceptive. At the same time, this attack used both social engineering and technical means, and it is difficult to defend against it fully within an organization.

The malicious activity is believed to have started on June 12, 2025. This is when the attacker created the malicious package “bs58-encrypt-utils”. 

Crypto hacking hasn’t advanced much; they’ve become more cunning

According to Slowmist, crypto hacking techniques haven’t advanced much, but they’ve become far more cunning. SlowMist’s head of operations, Lisa, said in the firm’s Q2 MistTrack Stolen Fund Analysis report that although it didn’t see an advancement in hacking techniques, the scams have become more sophisticated. 

There is a rise in fake browser extensions, tampered hardware wallets, and social engineering attacks. “We’re seeing a clear shift from purely on-chain attacks to off-chain entry points — browser extensions, social media accounts, authentication flows, and user behavior are all becoming common attack surfaces,” said Lisa. 

For instance, attackers guide users to visit well-known, commonly used websites like Notion or Zoom. When the user attempts to download software from these official sites, the files delivered have already been maliciously replaced. 

Another way is when hackers send users a compromised cold wallet. They tell their victims they have won a free device under a “lottery draw” or tell them their existing device was compromised and they needed to transfer their assets. Even better, hackers have introduced fake websites. 

The final hit is usually manipulation. “Attackers know phrases like ‘risky signature detected’ can trigger panic, prompting users to take hasty actions. Once that emotional state is triggered, it’s much easier to manipulate them into doing things they normally wouldn’t — like clicking links or sharing sensitive information,” Lisa said.

Other attacks used hacking methods that took advantage of EIP-7702, which was added in the most recent version of ethereum Pectra. Another attack took over the accounts of several WeChat users and targeted them. According to SlowMist, Ethereum led all ecosystems in security losses in the first half of 2025, with DeFi platforms losing around $470 million.

Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now