TrapDoor malware in package registries targets Aptos, Sui, Solana

Researchers at Socket Security identified a campaign called TrapDoor that placed more than 34 malicious packages across the npm, PyPI and Crates.io registries. The firm counted over 384 distinct package versions and traced the earliest upload to a PyPI module, [email protected], published Friday at 20:20 UTC with a compiled wheel two minutes later.

The packages targeted developers working on Aptos, Sui, Solana and Move-related projects. The payloads were designed to collect SSH private keys, browser login databases, wallet keystores, AWS credentials and GitHub tokens from developer machines.

Malicious code executed automatically using registry-specific mechanisms: npm postinstall hooks, Python import-time triggers and Rust build.rs scripts that run during compilation. Package names were chosen to resemble legitimate tooling for crypto, DeFi, AI and security workflows. Examples on Crates.io included sui-framework-helpers, sui-move-build-helper, move-analyzer-build, move-project-builder and sui-sdk-build-utils. Npm examples included crypto-credential-scanner, defi-env-auditor and wallet-security-checker, and PyPI entries included eth-security-auditor and defi-risk-scanner.

Socket Security reported the packages appeared in rapid succession across multiple accounts in tightly clustered waves. The releases and automatic execution paths increased the chance that a package would run during normal development actions such as installing dependencies or importing modules.

Socket Security advised developers working on Aptos, Sui, Solana and Move projects to review recent dependency changes and verify packages that resemble familiar tooling. The firm provided a list of identified package names and technical indicators for teams to use in incident response and scanning.