Researchers flag TrapDoor malware campaign targeting crypto developer environments including Aptos, Sui and Solana

Researchers at Socket Security identified more than 34 malicious packages across three programming language registries targeting crypto developer environments, including Aptos, Sui, and Solana ecosystems.

Dubbed TrapDoor, the campaign spans npm, PyPI, and Crates.io with over 384 total versions. Malicious packages identified include sui-framework-helpers, sui-move-build-helper, and move-analyzer-build on Crates.io, alongside multiple npm and PyPI packages, Socket researchers said in a statement on Sunday.

The researchers said the malware is designed to steal SSH keys, wallet keystores, AWS credentials, GitHub tokens, and browser login databases from developer machines. The packages execute through ecosystem-specific mechanisms, including npm postinstall hooks, Python import triggers, and Rust build.rs scripts.

According to Socket Security, the earliest package observed was the PyPI module eth-security-auditor@0.1.0, uploaded on Friday at 20:20 UTC, with a compiled wheel published two minutes later. The packages were released in rapid succession by multiple accounts and appeared across registries in tightly clustered deployment waves, per the report.

Start your day with the most influential events and analysis happening across the digital asset ecosystem.