Cybersecurity firm SlowMist recently revealed that it was contacted by a user who was affected by a malicious open-source project on GitHub that appeared to be a Pump.fun bot for trading Solana-based tokens.
The user downloaded and ran a seemingly innocuous GitHub project. Shortly after this, their wallet ended up being drained.
The bogus project was a Node.js app with a dependency on a package that was downloaded from a custom GitHub link. The package was able to bypass the security checks of the NPM registry. This is typical behavior for attackers who tend to hide malicious code in externally hosted packages in order to be able to avoid detection.
The package then ended up scanning the victim’s wallet for crypto wallet information. It then sent private keys to a server controlled by the malicious actor.
The hacker faked popularity by using bogus GitHub accounts to make it look trustworthy.
SlowMist has stressed that users should never blindly trust GitHub projects.