A fake GitHub repository posing as a Solana trading bot was used to distribute malware that stole crypto wallet credentials. The repository, now deleted, was hosted by the account ‘zldp2002’ and mimicked a legitimate tool to harvest user credentials. Cybersecurity firm SlowMist launched an investigation after users reported stolen funds. The project was based on Node.js and utilized a third-party package, which had been removed from the NPM registry. Investigators discovered the attacker was using a separate GitHub repository to download the malicious library, which was heavily obfuscated to evade detection. After de-obfuscation, it was confirmed that the package scans local files for wallet-related content or private keys and uploads them to a remote server. Further scrutiny revealed a network of malicious GitHub accounts controlled by the attacker that forked various projects to distribute malware while inflating their legitimacy through star and fork counts. This incident is part of a recent trend of attacks targeting crypto users through fake tools and extensions, raising concerns over software supply chain security.

Source 🔗