Attention: New Virus Detected that Empties Cryptocurrency Wallets! Here is the Guilty Program and What Needs to Be Done

The cybersecurity firm SlowMist revealed that the open-source project named "solana-pumpfun-bot" published on GitHub contains a fraud scheme targeting user wallets within the community. According to the information provided by the company, the cryptocurrencies in the wallets of users running the project were stolen, and some of the funds were transferred to a platform called FixedFloat.

The incident emerged on July 2, 2025, when a victim user reported to the SlowMist team. According to the user's statement, after starting to use the "zldp2002/solana-pumpfun-bot" project on GitHub a day earlier, the cryptocurrencies in their wallet were stolen.

In the analysis conducted by SlowMist after the incident, it was determined that the project is based on Node.js and operates with a suspicious third-party package named "crypto-layout-utils." This package is not listed in the official NPM registry and has been removed from the platform. Investigations revealed that malicious developers altered the link in the package-lock.json file, directing users to download harmful software.

SlowMist experts announced that the downloaded "crypto-layout-utils-1.3.1" package contains complex and hidden codes, and after analysis, these codes scanned the files containing wallet and private key on the user's computer and sent this data to a server belonging to the attacker named "githubshadow.xyz".

It was also reported in the analyses that the GitHub user, who is claimed to be the developer of the project in question, managed a large number of fake accounts with (zldp2002) and aimed to reach more users by forking the project through these accounts. In some forks, a different malicious NPM package called "bs58-encrypt-utils-1.0.3" was used.

After the incident, SlowMist detected through its on-chain analysis tool MistTrack that the attackers transferred some of the stolen cryptocurrencies to the FixedFloat platform. It is believed that the malware attack has been active since June 12, 2025.

SlowMist emphasized that users must be extremely cautious against software downloaded from open-source code platforms like GitHub, particularly in projects involving private keys or wallet transactions. In mandatory situations, it is recommended that such projects be run on an isolated machine that does not contain sensitive data.