Analysis of Malicious NPM Package Theft of Solana Users' Private Keys

In early July 2025, a malicious attack targeting Solana users was exposed. The attackers disguised themselves as a legitimate open-source project, luring users to download and run a Node.js project containing malicious code, thereby stealing users' wallet Private Keys and crypto assets.

Event Process

On July 2nd, a victim contacted the security team, stating that their cryptocurrency assets were stolen after using the open-source project "solana-pumpfun-bot" on GitHub. The security team immediately launched an investigation.

The investigation found that there is an anomaly in the GitHub project:

1. The code submission time was concentrated three weeks ago, lacking continuous updates.
2. The project relies on a suspicious third-party package "crypto-layout-utils"
3. This dependency package has been removed by the official NPM, and the specified version does not exist in the NPM historical records.

Further analysis revealed that the attacker replaced the download link for "crypto-layout-utils" in package-lock.json with a GitHub repository address they control.

Malicious Code Analysis

The security team downloaded and analyzed the suspicious dependency package, discovering that it contained highly obfuscated malicious code. This code implemented the following functions:

1. Scan the user's computer files for wallet or Private Key related content.
2. Upload the discovered sensitive information to the server controlled by the attacker.

Attack Methods

1. Control multiple GitHub accounts, fork and distribute malicious projects
2. Increase the number of Forks and Stars for high-profile projects to enhance credibility.
3. Replace the NPM package download link to bypass official review
4. Use obfuscation to increase analysis difficulty

Capital Flow

Using on-chain analysis tools, it was found that some of the stolen funds were transferred to a certain cryptocurrency exchange.

Security Recommendations

1. Exercise caution with GitHub projects of unknown origin, especially those involving wallet operations.
2. Run and debug third-party code in an independent environment without sensitive data.
3. Regularly check system security and timely update software and protective measures.

This incident once again emphasizes the importance of staying vigilant when handling crypto assets. Attackers are constantly innovating their methods, and both users and developers need to enhance their security awareness and take necessary protective measures.