Solana Pumpfun bot turns out to be camouflaged malware

A malignant open source project on Github, which is disguised as a Solana trading robot, has compromised the wallet of the users from July 2, 2025.

The project called “Solana-Pumpfun-Bot” was published under the Github user ZLDP2002 and quickly gained traction in the community. But instead of offering real functions, steel the offered unnoticed cryptocurrencies from the wall exchanges of the users and forwarded the funds to a platform called Fixedfloat.

Fake package, real damage

Slowmist's examination showed that the bot was created with Node.js and used a questionable dependency called “Crypto-layout-utils”, which is not listed in the official NPM repositories. After the installation, this package searched for private keys and debit files on the user's device and sent it to a server controlled by the attacker, Githubshadow.xyz.

The code of the malware was heavily veiled, so it was difficult to recognize. The attacker also poured the project several times with fake Github accounts to reinforce the detection. Some of these forks used an alternative malignant package, “BS58-Encrypt-Utils-1.0.3”.

Attack active since mid -June

The attack seems to have been active since June 12, 2025 and has only been discovered after a victim of Slowgot had contacted the day after installing the project. An on-chain analysis after the attack with the Slow Mist tool Misttrack confirmed that the stolen funds were forwarded to fixed float.

Expert warning

Slowmist urgently warns against performing Github-based open source software that interacts with wallets or private keys, unless this happens in a heavily isolated environment. The company recommends avoiding suspicious or non-verified packages, especially for crypto bot frameworks and automation tools.

The case underlines the growing risk of social engineering and dependency hijacking in open source crypto development-and the importance of checking every component before execution.