Socket Security just published research on TrapDoor malware: 34 malicious packages targeting developers building on Solana, Aptos, and Sui. If you've installed any npm or PyPI packages from these ecosystems recently, your wallet may already be at risk even if nothing looks wrong yet.
How it works:
The packages execute on install. They silently harvest crypto wallet credentials, SSH keys, cloud credentials, browser-saved passwords, and environment variables — then exfiltrate everything to attacker infrastructure. The theft of your wallet doesn't happen immediately. Attackers wait for the right moment: a large deposit, a token unlock, a liquidity event.
Three things to do right now:
Check if your developer email appeared in an infostealer log: Stealer logs from infected machines are actively traded on criminal Telegram channels. If your email is in one, your credentials from that machine are compromised regardless of whether your wallet looks fine today
