Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Github storage, representing the legitimate boot Solana Trading, was exposed to the alleged hiding of the crypto-hinged malware.
According to Friday message Blockchain Security Firm Slowmist, now deleted Solana-Pumpfun-Bot storage that hosted the “ZLDP2002” account, imitated the real tool for open-source to harvest user data. Slowmist reportedly launched an investigation after the user found that their funds were stolen on Thursday.
The harmful storage Github The person represented “a relatively high number of stars and forks,” Slowmist said. All the Code, which undertakes in all its addresses, was carried out about three weeks ago, with apparent discrepancies and a lack of a consistent pattern that would, according to Slowmist, indicate a legitimate project.
The project is based on Node.Js and uses crypto-thirsty Util a package of third parties as an addiction. “After another inspection, we found that this package has already been removed from the official NPM register,” Slowmist said.
Related: The campaign of the campaign hits the Firefox users with the wallets’ clones
Suspicious package NPM
The package could no longer be withdrawn from the official node package register (NPM), which made the investigators ask how the victim pulled the package. Slowmist, exploring further, found that the attacker withdraws the library from a separate Github repository.
After analyzing the package, Slowmist scientists found that he was strongly confused with JSJIII.com.v7, making it difficult to analyze. After de-infaming, investigators confirmed that it was a malicious package scanning local files, and if it detects content related to wallet or private keys, it would upload them to a remote server.
Related: North Korean hackers focus on crypto projects with unusual exploitation of Mac
More than one storage
Further investment Slowmist revealed that the attacker probably controlled the benefits of Github accounts. These accounts were used to branch projects into harmful variations, the distribution of malware for artificial inflation of fork and stars.
Multiple repositories showed similar properties, some versions include another malicious package, BS58-ENRYPT-OUTILS-1.0.3. This package was created on June 12, which is when the Slowmist scientists said they believe that the attacker began to distribute the harmful NPM modules and Node.js.
The incident is the latest of a number of attacks on a supplier chain focusing on crypt users. In recent weeks, similar schemes have focused on Firefox users with fake wallet extensions and used Github repositories to host the credential stolen code.
