TrapDoor Attack Targets Solana, Sui and Aptos Developers With Poisoned AI Coding Tools

A supply-chain attack called TrapDoor, identified by security firm Socket and reported by CoinDesk on May 29, 2026 at 8:19 a.m. UTC, has seeded more than 34 malicious packages across npm, PyPI and Crates.io — three of the most widely used open-source registries — specifically targeting developers working on Solana, Sui, Aptos, DeFi and AI tooling.

The packages were engineered to be invisible. Names like "wallet-security-checker," "defi-risk-scanner," "solidity-build-guard," "move-compiler-tools" and "llm-context-compressor" read as the kind of small utilities a crypto or AI developer might install without thinking twice. Once installed, they did not stop at stealing package data. The payloads searched developer machines for private keys, GitHub tokens, cloud credentials, browser data and SSH keys, tested stolen tokens against live AWS and GitHub endpoints and left persistence files behind to keep access active after the initial compromise.

Socket confirmed packages across all three registries used different execution paths to minimize detection. npm packages ran payloads via postinstall hooks. PyPI packages executed remote JavaScript on import. Rust packages targeting Sui and Move developers embedded malicious build.rs scripts that ran automatically during compilation — triggered before a developer could observe unusual behavior.

The most significant escalation is the AI coding assistant angle. Socket found that the attacker used .cursorrules and CLAUDE.md files — the project-level instruction files that tools like Cursor and Claude Code read to get context about a codebase — to plant hidden instructions using zero-width Unicode characters. Those invisible characters are undetectable in a normal file review. The injected instructions told AI assistants to run fake "security scans" that collected and exfiltrated secrets from the developer's environment. The attacker also opened pull requests to real open-source repositories specifically to inject these files through standard contribution workflows, meaning developers who never installed a malicious package could still be exposed if they accepted a poisoned PR.

Socket reported all identified packages to the affected registries. The company confirmed the campaign packages have been classified as malicious. No victims or stolen funds have been publicly confirmed.

The targeting is deliberate. Supply-chain attacks aimed at developers, rather than retail users, reflect a strategic calculation: a single compromised developer machine can hold wallet files, SSH keys with access to production infrastructure, cloud credentials and code repositories. One infected laptop can cascade into an entire organization's backend. The choice of Solana, Sui, Aptos and AI tooling ecosystems — all active, fast-moving developer communities — maximizes the probability of hitting exactly those machines.