Malicious Packages Targeting Solana, Sui and Aptos Developers Found Across npm, PyPI and Crates.io

A supply-chain attack campaign called TrapDoor planted more than 34 malicious packages across three major open-source registries, security firm Socket disclosed on May 29, 2026, at 8:19 a.m. UTC — targeting crypto and DeFi developers specifically, not retail users.

The packages appeared on npm, PyPI and Crates.io, disguised as legitimate developer utilities. Names like wallet-security-checker, defi-risk-scanner, solidity-build-guard, move-compiler-tools and llm-context-compressor were chosen to look like the kind of small helpers a crypto or AI developer would install without much scrutiny.

Once on a machine, the payloads went after wallet private keys, SSH credentials, GitHub tokens, cloud access and browser data. The npm packages tested stolen credentials and used SSH keys to move laterally into other systems, leaving behind persistent files to keep access alive after the initial infection. The PyPI packages ran remote JavaScript on import. The Rust packages used malicious build.rs scripts that executed at compile time, with that vector aimed specifically at Sui and Move developers.

The campaign's most novel element is an attack on AI coding assistants. Socket said attackers embedded hidden instructions — using zero-width Unicode characters — inside .cursorrules and CLAUDE.md files, which are configuration files that tools like Cursor and Claude Code read for project context. The hidden instructions were designed to make future AI assistant sessions run fake "security scans" that collected and exfiltrated secrets. The attacker also opened pull requests to open-source AI and developer projects, attempting to merge .cursorrules and CLAUDE.md files through normal contribution workflows.

The effect is a two-stage attack: the package install compromises the workstation in the first session; the poisoned AI configuration file ensures any future AI-assisted coding session on that machine becomes an exfiltration vector.

Socket reported the packages to the affected registries and classified the campaign as malicious. The firm said it did not identify confirmed victims or stolen funds at the time of reporting.

The targeting logic is deliberate. Developers building on Solana, Sui and Aptos hold the keys to production infrastructure — wallet files, cloud credentials, code repositories — on the same machines they use to write and deploy code. A single compromised developer workstation can expose far more than a single user's funds.