Solana users encounter Private Key theft incidents, beware of malicious Open Source projects

In early July 2025, a Solana user discovered that their crypto assets had been stolen after using an open source project on GitHub. An investigation by the security team revealed a new type of attack method, which is worth the attention of cryptocurrency users.

The incident was triggered by the victim using an open-source project called "solana-pumpfun-bot." Although the project has received a high number of Stars and Forks on GitHub, its code updates are unusually concentrated and lack the characteristics of continuous maintenance.

In-depth analysis reveals that the project relies on a suspicious third-party package "crypto-layout-utils". This package has been removed from the official NPM, and the version number does not match the official records. The attacker modified the package-lock.json file to point the download link of the dependency to a self-controlled GitHub repository.

This malicious package is highly obfuscated, and its core function is to scan for sensitive files on the user's computer, particularly those related to cryptocurrency wallets and Private Keys, and upload this information to a server controlled by the attacker.

The investigation also found that the attackers may have controlled multiple GitHub accounts to distribute malware and enhance project credibility. They not only forked the original project but also inflated the star count to attract more users.

In addition to "crypto-layout-utils", another malicious package named "bs58-encrypt-utils" was also used for similar attacks. This indicates that after the NPM officials took action, the attackers shifted to a strategy of directly distributing malicious packages.

Funds tracking shows that a portion of the stolen assets flowed to a certain cryptocurrency exchange platform, which poses a challenge for the subsequent recovery of funds.

This incident highlights the security threats faced by the Open Source community. Attackers successfully tricked users into running programs containing malicious code by disguising themselves as legitimate projects and using social engineering techniques. This form of attack is highly deceptive and difficult to completely prevent even within organizations.

To reduce risk, it is recommended that developers and users remain highly vigilant regarding GitHub projects of unknown origin, especially those involving wallet operations. If debugging is necessary, it is best to do so in an isolated environment to avoid sensitive information leakage.

This incident serves as a reminder that in the rapidly evolving cryptocurrency space, security awareness and a cautious attitude are crucial. Users should remain vigilant at all times and treat any operations involving Private Key or sensitive information with caution.