Solana, Sui and Aptos wallet data targeted in TrapDoor package attack

A new crypto-theft campaign is targeting the developers most likely to have wallet keys, cloud credentials and production access sitting on their machines.

Researchers at security firm Socket said earlier this week they identified a supply-chain attack called TrapDoor spread across three major open-source programming registries, with more than 34 malicious packages and hundreds of related versions and artifacts.

A key takeaway is that attackers are becoming more focused. In addition to social engineering, which targets individuals holding key information, supply-chain attacks are built not to catch random retail users but developers. Those are the very people who may have wallet files, SSH keys, GitHub tokens, cloud credentials and production access on the same machine they use to build crypto and AI tools.

Socket did not identify victims or stolen funds, but said the packages were live across npm, PyPI and Crates.io and contained payloads that could steal wallet data, exfiltrate credentials, test AWS and GitHub tokens and leave behind files to keep access active.

The packages programmed in JavaScript, Python and Rust were disguised as developer helpers, security scanners, wallet tools, Solidity utilities, AI prompt packages and Sui or Move build helpers.

Boring by design

The names were boring by design. Packages were named “wallet-security-checker,” “defi-risk-scanner,” “solidity-build-guard,” “move-compiler-tools” and “llm-context-compressor,” looking like the kind of small utilities a crypto or AI developer might install without much thought.

Once installed, however, the payloads tried to pull far more than package data.

In the npm packages, the malware searched a developer’s machine for private keys, passwords, GitHub tokens and cloud logins. It also tested some stolen credentials, tried to move into other systems through SSH keys and left behind files that could keep the infection active.

SSH keys are login files that developers use to access servers, code repositories and other machines. If stolen, they can let an attacker move from one compromised laptop into a company’s wider infrastructure.

The attack also uses files such as .cursorrules and claude.md, which allow developers to give project-specific instructions to AI coding tools. Socket said the campaign planted hidden instructions using zero-width Unicode characters, apparently trying to make future AI assistant sessions run fake “security scans” that collected and exfiltrated secrets.

That turned the attack from a normal package stealer into something closer to developer-environment malware. The package install is only the first step, with the real target being the workstation, such as wallets, repos, browser data, cloud keys, SSH access and whatever AI coding tools read next.

The Rust packages used malicious build.rs scripts to run during compilation, targeting sui and move developers. PyPI packages executed remote JavaScript on import. Packages on npm used postinstall hooks.

Socket said it reported the packages to affected registries and classified the campaign packages as malicious. The company also warned that the attacker opened pull requests to AI and developer projects, trying to add .cursorrules and CLAUDE.md files through normal open-source contribution paths.