TrapDoor Malware Campaign Targets Aptos, Solana, and Sui Developer Ecosystems

• TrapDoor malware spread through fake crypto developer packages across registries.
• Attackers targeted SSH keys, AWS tokens, and wallet credentials in builds worldwide.
• Researchers linked coordinated uploads to Aptos, Sui, and Solana tooling ecosystems.

Researchers have uncovered a coordinated malware campaign that targets cryptocurrency developers through fake software packages spread across major coding registries. The operation, named TrapDoor, focused on developer environments connected to blockchain ecosystems such as Aptos, Sui, and Solana. Security analysts warned that the campaign aimed to steal sensitive credentials from machines used in crypto development workflows.

Researchers from Socket Security discovered more than 34 malicious packages distributed across npm, PyPI, and Crates.io. Altogether, the campaign involved more than 384 package versions. The attackers designed the software to appear legitimate by mimicking popular development utilities and blockchain tooling.

Malware Targets Developer Credentials

The malicious packages targeted high-value information stored on developer systems. The malware searched for SSH keys, AWS credentials, GitHub access tokens, wallet keystores, and browser login databases. Consequently, compromised systems could expose both personal and corporate infrastructure tied to crypto projects.

Researchers identified several suspicious Rust packages on Crates.io, including sui-framework-helpers, move-analyzer-build, and sui-move-build-helper. Additionally, npm packages carried names such as crypto-credential-scanner and wallet-security-checker. PyPI packages included eth-security-auditor and defi-risk-scanner.

The attackers relied on automated execution methods within each programming ecosystem. npm packages abused postinstall hooks, while Python modules executed during imports. Rust packages are activated through build.rs scripts during compilation. Hence, developers could infect their machines during ordinary installation procedures without noticing suspicious behavior.

Related: 3 Key Scenarios for XRP Price To Hit $5 in 2026, Claude, ChatGPT, Grok, and Gemini Predict

Coordinated Deployment Raised Concerns

Socket researchers traced the earliest known package to a PyPI upload called [email protected]. The package appeared on Friday evening, followed by a compiled wheel release minutes later. Moreover, the researchers observed tightly grouped upload waves across several registries and user accounts.

The deployment pattern suggested organized coordination rather than isolated experimentation. Researchers noted that the attackers intentionally selected names associated with crypto infrastructure, DeFi tooling, AI frameworks, and security auditing utilities. These environments often store financial credentials and privileged authentication keys.

Crypto Development Environments Face Growing Threats

The TrapDoor campaign highlights the increasing risks surrounding open-source software ecosystems supporting digital asset projects. Developers frequently install third-party packages to accelerate workflows, especially within fast-moving blockchain sectors. However, attackers continue exploiting that trust to gain access to sensitive infrastructure.

Security experts urged developers to verify package maintainers carefully before installation. Additionally, organizations should monitor dependency behavior during build processes and isolate critical credentials from development machines. Researchers described the campaign as relatively small in scale yet potentially severe in impact due to the value of targeted systems.