Close Menu
  • Instructions
  • News
    • DeFi
    • Smart Contract
    • Markets
    • Web3
    • Adoption
    • Memecoins
    • Analysis
    • Mining
    • Scams
    • Security
  • Education
    • Learn
    • Wallets & Exchange
  • Documentaries
  • Videos
    • Alessio Rastani
    • Altcoin Buzz
    • Coin Bureau
    • Dapp University
    • DataDash
    • Digital asset News
    • EllioTrades Crypto
    • MMCrypto
    • Lark Davis
    • Ivan on Tech
    • Benjamin Cowen
  • Market
    • Crypto Market Cap
    • Heat Map
    • Converter
    • Metal Prices
    • Stock prices
  • Bonus Books
  • Tools
What's Hot

Questor Announces Formation of Special Committee to Support Leadership Transition and Strategy Refresh

July 17, 2026

How AIs Can Reinforce Our False Beliefs

July 17, 2026

Citadel Securities invests $400 million in Crypto.com, valuing exchange at $20 billion

July 16, 2026
Facebook X (Twitter) Instagram
Recession Profit AlertsRecession Profit Alerts
  • Instructions
  • News
    • DeFi
    • Smart Contract
    • Markets
    • Web3
    • Adoption
    • Memecoins
    • Analysis
    • Mining
    • Scams
    • Security
  • Education
    • Learn
    • Wallets & Exchange
  • Documentaries
  • Videos
    • Alessio Rastani
    • Altcoin Buzz
    • Coin Bureau
    • Dapp University
    • DataDash
    • Digital asset News
    • EllioTrades Crypto
    • MMCrypto
    • Lark Davis
    • Ivan on Tech
    • Benjamin Cowen
  • Market
    • Crypto Market Cap
    • Heat Map
    • Converter
    • Metal Prices
    • Stock prices
  • Bonus Books
  • Tools
Recession Profit AlertsRecession Profit Alerts
Home»Security»Solana, Sui and Aptos wallet data targeted in TrapDoor package attack
Security

Solana, Sui and Aptos wallet data targeted in TrapDoor package attack

May 30, 2026No Comments3 Mins Read

A new crypto-theft campaign is targeting the developers most likely to have wallet keys, cloud credentials and production access sitting on their machines.

Researchers at security firm Socket said earlier this week they identified a supply-chain attack called TrapDoor spread across three major open-source programming registries, with more than 34 malicious packages and hundreds of related versions and artifacts.

A key takeaway is that attackers are becoming more focused. In addition to social engineering, which targets individuals holding key information, supply-chain attacks are built not to catch random retail users but developers. Those are the very people who may have wallet files, SSH keys, GitHub tokens, cloud credentials and production access on the same machine they use to build crypto and AI tools.

Socket did not identify victims or stolen funds, but said the packages were live across npm, PyPI and Crates.io and contained payloads that could steal wallet data, exfiltrate credentials, test AWS and GitHub tokens and leave behind files to keep access active.

The packages programmed in JavaScript, Python and Rust were disguised as developer helpers, security scanners, wallet tools, Solidity utilities, AI prompt packages and Sui or Move build helpers.

Boring by design

The names were boring by design. Packages were named “wallet-security-checker,” “defi-risk-scanner,” “solidity-build-guard,” “move-compiler-tools” and “llm-context-compressor,” looking like the kind of small utilities a crypto or AI developer might install without much thought.

Once installed, however, the payloads tried to pull far more than package data.

In the npm packages, the malware searched a developer’s machine for private keys, passwords, GitHub tokens and cloud logins. It also tested some stolen credentials, tried to move into other systems through SSH keys and left behind files that could keep the infection active.

See also  Tangem Unveils Tangem Ring Hardware Wallet

SSH keys are login files that developers use to access servers, code repositories and other machines. If stolen, they can let an attacker move from one compromised laptop into a company’s wider infrastructure.

The attack also uses files such as .cursorrules and claude.md, which allow developers to give project-specific instructions to AI coding tools. Socket said the campaign planted hidden instructions using zero-width Unicode characters, apparently trying to make future AI assistant sessions run fake “security scans” that collected and exfiltrated secrets.

That turned the attack from a normal package stealer into something closer to developer-environment malware. The package install is only the first step, with the real target being the workstation, such as wallets, repos, browser data, cloud keys, SSH access and whatever AI coding tools read next.

The Rust packages used malicious build.rs scripts to run during compilation, targeting sui and move developers. PyPI packages executed remote JavaScript on import. Packages on npm used postinstall hooks.

Socket said it reported the packages to affected registries and classified the campaign packages as malicious. The company also warned that the attacker opened pull requests to AI and developer projects, trying to add .cursorrules and CLAUDE.md files through normal open-source contribution paths.

Source link

Aptos attack Data Package Solana Sui Targeted TrapDoor Wallet

Related Posts

International Sting Dismantles Cyprus-Based Crypto Fraud Hub Targeting Benelux Investors

July 16, 2026

Summer.fi to Shut Down Operations Following $6.1 Million Security Breach

July 16, 2026

Summer.fi to Shut Down Operations Following $6.1 Million Security Breach

July 16, 2026

Modular macOS Stealer Uses Kill Loops to Force Password Entry

July 16, 2026
Top Posts

Major US Bank Refuses to Reimburse Customer After Criminal Caught on Camera Stealing Cash From Account: Report

October 28, 2023

Bank of Russia Confirms September Rollout for Digital Ruble, With Top Banks ‘Ready and Connected’

June 7, 2026

JPMorgan urges strong safeguards as congress weighs crypto market structure rules

June 29, 2026

Type above and press Enter to search. Press Esc to cancel.