TrapDoor Malware Targets Solana, Sui and Aptos Developers

A new malware campaign named TrapDoor is targeting developers within crypto, DeFi, and AI ecosystems, including Solana, Sui, and Aptos. According to Socket Security (Socket) and the Cloud Security Alliance (CSA), this campaign has distributed over 34 malicious packages with 384 versions/artifacts across npm, PyPI, and Crates.io since at least May 22, 2026, aiming to steal wallet files, developer credentials, and other secrets on developers’ machines. This data could pave the way for attackers to compromise private repositories, cloud infrastructure, or development wallets of related projects.

What Happened

TrapDoor is described as a software supply chain attack campaign targeting developer environments, rather than a direct exploit against Solana, Sui, or Aptos. Attackers publish fake packages to popular registries commonly used by developers. These packages are named similarly to legitimate tools like security scanners, wallet checkers, build utilities, or AI tooling, making them easy to be installed during the development process.

According to Socket, TrapDoor has appeared on npm, PyPI, and Crates.io with over 34 malicious packages and more than 384 associated versions/artifacts. CSA stated that this group of packages includes 21 packages on npm, 7 packages on PyPI, and 6 packages on Crates.io. The first confirmed package was [email protected], uploaded to PyPI on May 22, 2026, at 20:20:18 UTC, while some infrastructure indicators suggest that preparation activities may have begun as early as May 19, 2026.

Token-usage-tracker marked as known malware by Socket. Source: Socket.

These packages target developers because their work devices often contain many valuable credentials, ranging from SSH keys, GitHub tokens, and cloud credentials to wallet keystores or private keys used for development.

How the Attack Works

TrapDoor operates by hiding malicious code inside packages that developers might download while building applications. When a package is installed or called within a project, the malicious code can execute automatically without any obvious signs to the user. This is why attacks through package registries are often dangerous: they exploit the very workflow that developers are familiar with.

According to Socket, TrapDoor packages can execute in different ways depending on the platform. On npm, the malware can be triggered immediately after the package is installed. On PyPI, it can run when a developer imports the package in Python. With Crates.io, the malicious code can execute during the compilation of a Rust project.

Once active, TrapDoor scans the developer’s machine for access keys, login tokens, browser data, and wallet-related files. Socket noted that certain credentials, including AWS and GitHub tokens, are even validated against real APIs before being exfiltrated, showing that the attackers prioritize access rights that are still valid. If these credentials are exposed, attackers can move from the developer’s machine to the project’s repositories, servers, CI/CD pipelines, or cloud accounts.

Why This Case Matters

What sets TrapDoor apart from many previous package malware campaigns is that it reaches into workflows using AI coding assistants. According to the Cloud Security Alliance, the malware can install or modify files such as .cursorrules and CLAUDE.md, which are used by Cursor, Claude Code, and similar tools to read instructions within a project.

These files can contain hidden instructions using Unicode characters that are nearly invisible to users, but are still read as text by AI assistants. In some cases, these instructions can prompt the AI tool to suggest or execute actions disguised as a “security scan,” but actually aimed at harvesting secrets on the developer’s machine.

Socket and CSA also recorded that attackers attempted to open pull requests to several open-source AI projects, including LangChain, Langflow, browser-use, llama_index, MetaGPT, and OpenHands, aiming to introduce malicious configuration files into repositories through documentation contributions. These pull requests were detected and closed, with no signs of successful merging.

Impact on Solana, Sui and Aptos

As of May 31, 2026, there are no public reports confirming that TrapDoor has caused specific financial losses or directly compromised the protocols of Solana, Sui, or Aptos. Current findings indicate that the primary target is the developer work environment within these ecosystems.

However, the risk remains significant because developers often have deep access to project infrastructure. A compromised development machine could pave the way for attackers to access the codebase, deployment systems, or wallets used for testing, deploying, and operating applications. With crypto projects, an exposed GitHub token or cloud key could be enough for attackers to modify code, plant backdoors, or pivot to other systems.

Solana, Sui, and Aptos are ecosystems with highly active developer communities, with a frequent need to use SDKs, packages, wallet tooling, and build tools during application development. This makes fake packages look more “contextually correct” when targeting specialized developer groups, rather than just distributing mass malware across registries.

For ecosystems with many SDKs, packages, wallet tooling, and build tools, fake packages can look more familiar in the developer workflow, especially when named similarly to tools serving application development.

What Developers Should Do

Developers who have installed suspicious packages from May 19–22, 2026, onward need to review new dependencies from npm, PyPI, or Crates.io, especially those masquerading as crypto, security, or AI tools. The inspection should also extend to AI configuration files in projects such as .cursorrules, CLAUDE.md, or AGENTS.md, as this is a notable part of the TrapDoor campaign.

If an unusual package or configuration file is detected, the next step is to check Git history, scan the machine, and rotate critical access keys. For developers who have installed packages on the malicious list, associated tokens, cloud credentials, and wallet keys should be replaced immediately, even if no clear signs of exfiltration have been observed yet.

For Solana, Sui, and Aptos developers, the severity lies in the access rights that development machines usually hold, from tooling and test keys to infrastructure serving applications. When these permissions are exposed, the impact can extend beyond individual machines and affect the projects being built or operated.