Solana user assets stolen, malicious NPM package hides Private Key theft functionality

In early July 2025, a cryptocurrency user sought help from the security team, stating that their wallet assets were stolen after using an open-source project on GitHub called solana-pumpfun-bot. After an in-depth investigation, security experts revealed a meticulously planned attack.

Investigators first examined the GitHub project and found that its code submission timestamps were unusually concentrated, lacking the characteristics of continuous updates. Further analysis of the project dependencies revealed a suspicious third-party package called crypto-layout-utils. This package has been removed from the official NPM registry, and the specified version does not appear in the official history.

By examining the package-lock.json file, experts found that the attacker cleverly replaced the download link for crypto-layout-utils with a file from a GitHub repository. This replaced package was highly obfuscated, increasing the difficulty of analysis. It was ultimately confirmed that this was a malicious NPM package capable of scanning for sensitive files on the user's computer and uploading any discovered wallet Private Keys to a server controlled by the attacker.

The investigation also found that the attackers may have controlled multiple GitHub accounts to distribute malware and enhance project credibility. They increased project popularity through actions such as Fork and Star, enticing more users to download and use it. Some Fork projects also used another malicious package, bs58-encrypt-utils-1.0.3.

This attack combined social engineering and technical means, exhibiting a high degree of deception. The attackers disguised themselves as legitimate open-source projects, leveraging users' trust in GitHub projects to trick them into downloading and running code with malicious dependencies, ultimately leading to the leakage of the Private Key and theft of assets.

Security experts recommend that developers and users remain highly vigilant towards GitHub projects of unknown origin, especially when it involves wallet or Private Key operations. If debugging such projects is necessary, it is best to do so in a separate environment that does not contain sensitive data.

This event highlights the security challenges faced by the open-source community, reminding us to exercise extra caution when using third-party code, while also calling for strengthened security oversight of the open-source ecosystem.