The Internet reported that according to the Slow Fog Security Team, on July 2, a victim claimed that he had used an open source project-zldp2002/solana-pumpfun-bot-hosted on GitHub the day before, and that his cryptographic assets were subsequently stolen. According to slow-fog analysis, in this attack, the attacker disguised itself as a legal open source project (solana-pumpfun-bot) to induce users to download and run malicious code. Under the cover of high project popularity, users ran the Node.js project with malicious dependencies without warning, resulting in the disclosure of wallet private keys and theft of assets. The entire attack chain involves the collaborative operation of multiple GitHub accounts, which expands the scope of spread, improves credibility, and is extremely deceptive. At the same time, such attacks use a combination of social engineering and technical means, making it difficult to fully defend themselves within the organization. Slowfog advises developers and users to be highly vigilant about unidentified GitHub projects, especially when wallet or private key operations are involved. If you really need to run debugging, it is recommended to run and debug in an independent machine environment without sensitive data.