TrapDoor Malware Campaign Targets Crypto Developers on Aptos, Sui, and Solana
Security researchers at Socket Security have uncovered a dangerous malware campaign named TrapDoor. It targets crypto developers working on Aptos, Sui, and Solana ecosystems. The attack involves over 34 malicious packages and more than 384 versions published on npm, PyPI, and Crates.io.
How TrapDoor Malware Works
The malicious packages impersonate legitimate developer tools for crypto, DeFi, AI, and security workflows. They use sneaky methods like npm postinstall hooks, Python import triggers, and Rust build.rs scripts to run automatically. Once installed, the malware steals sensitive data including SSH keys, crypto wallet keystores, AWS credentials, GitHub tokens, and browser login information.
Targeted Packages
Attackers created fake packages such as sui-framework-helpers, sui-move-build-helper, crypto-credential-scanner, defi-env-auditor, wallet-security-checker, eth-security-auditor, and move-project-builder. These were released quickly by multiple accounts starting from May 23, 2026, aiming at high-value developer environments.
Security Recommendations
Crypto developers should carefully verify package names, check publishers, and scan dependencies before installation. Avoid running untrusted packages, especially those related to blockchain, DeFi, or security tools. This low-volume but high-impact campaign shows the rising threat of supply chain attacks in the crypto development space. Stay vigilant.
