Platform GitHub is back in the news after the detection of a major malware distribution scheme that directly affects the ecosystem of open source projects related to cryptocurrenciesThe investigation, led by the cybersecurity firm slowmist, has revealed how various repositories supposedly focused on trading on the Solana network have been used as bait to steal funds from unsuspecting users' wallets.
The case became public when a user reported the loss of funds from his wallet, after downloading and executing what he believed to be a legit trading bot for Solana. The repository in question, hosted under the account zldp2002 and baptized as solana-pumpfun-bot, had managed to attract the attention of the community by quickly registering a high number of stars and forksThis activity, far from being an indication of reliability, masked the true malicious nature of the project.
The key to the attack was the use of a dependency called crypto-layout-utils, already withdrawn from the official NPM registryTo maintain the backdoor, the attackers altered the file package-lock.json in the repository, redirecting the download of said package to a Manually controlled URL on GitHubAfter analyzing the code, experts confirmed that it included routines to Scan local files for private keys and wallets, sending the information to an external server under the control of criminals.
An orchestrated network of fake accounts It was used to clone and force-forge multiple variants of these projects, artificially inflating the metrics and thus expanding the potential reach of the malware distribution campaign. In some forks, the presence of another suspicious dependency was also detected: bs58-encrypt-utils-1.0.3, similarly used to keep the scheme running even after the core package is removed from NPM.
Funds diverted to external services and increasing sophistication of the attack
SlowMist's on-chain investigation allowed some of the stolen funds to be traced, which were transferred to the FixedFloat platform. This data demonstrates the high degree of preparation behind the attack, combining dependency manipulation techniques in open source environments with mechanisms for laundering and concealing stolen money.
Experts warn that these types of incidents represent an upward trend in the sophistication of attacks targeting the software supply chain. In addition to attacking packages on managers like NPM, cybercriminals are exploiting the prestige and popularity of platforms like GitHub to spread malware under a legitimate guise, which multiplies the risk for developers and users who rely on these projects.
Recommendations for the community They should take extreme precautions and avoid running unverified open source tools, especially if they manage digital assets or private keys. It's crucial to review the provenance of repositories, analyze their dependencies, and, whenever possible, isolate test environments to prevent further damage.
This incident highlights yet another issue of vulnerability in collaborative code development, reinforcing the importance of staying vigilant and always ensuring verification and transparency before incorporating any tool into our workflow.
The increasing sophistication of these attacks puts GitHub in the spotlight for future campaigns. Therefore, the The developer community must strengthen its security culture and contribute to the rapid detection of threats. sharing information and good practices.
It's critical to stay up-to-date on the tactics attackers employ on GitHub and the importance of implementing additional security measures for open source projects, particularly in sensitive sectors like crypto.
