GitHub malicious projects impersonating Solana Bots lead to users' encryption assets being stolen

robot
Abstract generation in progress

[Bit Push] According to monitoring by the security team, on July 2, a victim reported that they had used an accomplice hosted on GitHub's open source project — zldp2002/solana-pumpfun-bot the day before, after which their encrypted assets were stolen. Analysis reveals that in this attack, the attacker disguised as a legitimate open source project (solana-pumpfun-bot) to lure users into downloading and running malicious code. Under the guise of boosting the project's popularity, users unsuspectingly ran a Node.js project carrying malicious dependencies, leading to the leak of their wallet private keys and asset theft. The entire attack chain involved multiple GitHub accounts working together, expanding the scope of the spread and enhancing credibility, making it highly deceptive. At the same time, such attacks employ both social engineering and technical means, making it difficult to fully defend against them within organizations.

Developers are advised to be highly cautious of unknown GitHub projects, especially when it involves Wallet or Private Key operations. If debugging is necessary, it is recommended to run and debug in a separate machine environment that does not contain sensitive data.

SOL-0.67%
View Original
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • 6
  • Share
Comment
0/400
OnChainSleuthvip
· 07-06 11:28
So no one verified the signature of this small bot?
View OriginalReply0
LayoffMinervip
· 07-06 01:27
Mining Rig lying at home collecting dusting
View OriginalReply0
RektDetectivevip
· 07-04 12:30
Another sucker has been played for suckers.
View OriginalReply0
AltcoinMarathonervip
· 07-03 12:09
just another mile marker in crypto's security marathon... stay vigilant fam
Reply0
MetaverseLandladyvip
· 07-03 11:55
Play play play and you will know to download, deserved to be stolen.
View OriginalReply0
CommunityWorkervip
· 07-03 11:50
Slipped away, really dare not touch these Bots.
View OriginalReply0
Trade Crypto Anywhere Anytime
qrCode
Scan to download Gate app
Community
English
  • 简体中文
  • English
  • Tiếng Việt
  • 繁體中文
  • Español
  • Русский
  • Français (Afrique)
  • Português (Portugal)
  • Bahasa Indonesia
  • 日本語
  • بالعربية
  • Українська
  • Português (Brasil)