GitHub Repo Mimics Solana Bot, Fleeces Users
The decentralized finance (DeFi) space, particularly the Solana ecosystem, is once again under siege, this time from a cleverly disguised malicious actor. A GitHub repository, masquerading as a legitimate Solana trading bot, has been exposed for harboring malware designed to pilfer user funds. This incident serves as a stark reminder of the ever-present threats lurking in the crypto world, especially those exploiting software supply chains.
SlowMist Uncovers the Deception
Blockchain security firm SlowMist spearheaded the investigation, triggered by a user report of stolen funds. The now-deleted repository, under the account “zldp2002,” mirrored a popular open-source Solana trading tool. The deceptive strategy proved effective, accumulating a significant number of stars and forks on GitHub, giving the project a veneer of credibility. However, upon closer inspection, inconsistencies in the commit patterns and the use of a compromised third-party package revealed the project’s true, nefarious purpose.
Malware‘s Method of Operation
The malicious bot, built using Node.js and dependent on the compromised package “crypto-layout-utils,” was designed to harvest user credentials. The investigation showed that the package was already removed from the official NPM registry. The attacker, however, was downloading the library from a separate GitHub repository. Further analysis revealed that the package was obfuscated, making the source code difficult to analyze, but ultimately designed to scan a user’s local files for wallet-related content or private keys. When found, the sensitive data was uploaded to a remote server, facilitating the theft.
The Broader Scope of the Attack
SlowMist‘s investigation uncovered evidence that the attacker likely controlled multiple GitHub accounts, enabling the creation of forked projects to distribute the malware more widely. These forked repositories, featuring similar functionalities, included a second malicious package, “bs58-encrypt-utils-1.0.3.” This points to a coordinated effort, with the attacker seemingly launching the campaign in June, based on the package creation date. This attack underscores the importance of vigilance within the crypto community, reminding users to scrutinize open-source projects before use.
Lessons Learned and Future Implications
This Solana bot scam highlights the risks associated with supply chain attacks, where malicious actors compromise legitimate software dependencies to infect users. The incident is also part of a broader trend of credential-stealing schemes targeting crypto users, with past attacks exploiting fake wallet extensions and compromised repositories. Users should always verify the source code of projects, be wary of projects with limited documentation or irregular commit patterns, and use multiple security layers. Furthermore, this type of attack highlights the importance of regularly checking for updates and verifying that your software is up-to-date to avoid potential vulnerabilities. As the crypto landscape evolves, so too will the sophistication of these malicious attacks; ongoing diligence and community-wide education remain crucial for safeguarding user funds.
