A Github benchmark pretending to be a legitimate Solana trading bot has been exposed to apparently hide malicious cryptographic flight software.
According to a Friday report by the Safety Company Blockchain Slowmist, the Solan-Pumpfun-Bob standard now deleted hosted by the “ZLDP2002” account has imitated a real open-source tool to collect user identification information. Slowmist would have launched the investigation after a user found that his funds had been stolen on Thursday.
The malicious Github benchmark in question presented “a relatively high number of stars and forks,” said Slowmist. All code commitments in all its directories were carried out about three weeks ago, with apparent irregularities and a lack of coherent diagram which, according to Slowmist, would indicate a legitimate project.
The project is based on Node.js and operates the Crypto-Layout-Uutils third-party package as dependence. “After a more in -depth inspection, we found that this package had already been removed from the official NPC register,” said Slowmist.
In relation: The Crypto flight campaign strikes Firefox users with wallet clones
A suspect NPM package
The package could no longer be downloaded from the official register of the node package manager (NPM), which prompted the investigators to wonder how the victim had downloaded the package. Investigating further, Slowmist discovered that the attacker downloaded the library from a separate Github repository.
After analyzing the package, Slowmist researchers found that it was strongly obscured using jsjiami.com.v7, which makes the analysis more difficult. After deofuscation, the investigators confirmed that it was a malicious package that scans local files, and if it detects content linked to the wallet or private keys, it would download them to a remote server.
In relation: North Korean pirates targeting crypto projects with an unusual mac feat
More than one repository
A slower investigation by Slowmist revealed that the striker probably controlled a lot of Github accounts. These accounts were used to fork projects in malicious variations, distributing malicious software while artificially inflating the counts of forks and stars.
Several forked benchmarks had similar characteristics, with certain versions incorporating another malicious set, BS58-encrypt-utils-1.0.3. This package was created on June 12, that is to say when Slowmist researchers said they thought the attacker started to distribute malicious NPM modules and Node.js.
The incident is the last in a series of software supply chain attacks targeting crypto users. In recent weeks, similar schemes have targeted Firefox users with false wallet extensions and used GitHub standards to host the identification flight code.
Review: Weird “zero address” IVEST HACK, millions of PCs always vulnerable to “Swinkclose” malware: Crypto-Sec
