PANews reported on July 3 that according to the SlowMist security team, on July 2, a victim claimed that he had used an open source project hosted on GitHub the day before - zldp2002/solana-pumpfun-bot, and then his encrypted assets were stolen. According to SlowMist analysis, in this attack, the attacker induced users to download and run malicious code by disguising as a legitimate open source project (solana-pumpfun-bot). Under the cover of boosting the popularity of the project, the user ran the Node.js project with malicious dependencies without any precautions, resulting in the leakage of the wallet private key and the theft of assets. The entire attack chain involves the coordinated operation of multiple GitHub accounts, which expands the scope of dissemination, enhances credibility, and is extremely deceptive. At the same time, this type of attack uses both social engineering and technical means, and it is difficult to fully defend against it within the organization.

SlowMist recommends that developers and users be highly vigilant against unknown GitHub projects, especially when it comes to wallet or private key operations. If you really need to run and debug, it is recommended to run and debug in an independent machine environment without sensitive data.