Researchers at Socket Security identified more than 34 malicious packages across three programming language registries targeting crypto developer environments, including Aptos, Sui, and Solana ecosystems.
Dubbed TrapDoor, the campaign spans npm, PyPI, and Crates.io with over 384 total versions. Malicious packages identified include sui-framework-helpers, sui-move-build-helper, and move-analyzer-build on Crates.io, alongside multiple npm and PyPI packages, Socket researchers said in a statement on Sunday.
The researchers said the malware is designed to steal SSH keys, wallet keystores, AWS credentials, GitHub tokens, and browser login databases from developer machines. The packages execute through ecosystem-specific mechanisms, including npm postinstall hooks, Python import triggers, and Rust build.rs scripts.
According to Socket Security, the earliest package observed was the PyPI module [email protected], uploaded on Friday at 20:20 UTC, with a compiled wheel published two minutes later. The packages were released in rapid succession by multiple accounts and appeared across registries in tightly clustered deployment waves, per the report.
The npm packages in the campaign included tools such as crypto-credential-scanner, defi-env-auditor, and wallet-security-checker, while Crates.io packages focused on Sui and Move development tooling, including move-project-builder and sui-sdk-build-utils. PyPI packages included eth-security-auditor and defi-risk-scanner, designed to execute automatically during standard development workflows.
Socket researchers said the package names were crafted to resemble development tooling across crypto, DeFi, AI, and security workflows, targeting environments where cloud credentials, SSH keys, and wallet data may be stored on developer machines.
The firm described the campaign as a low-volume but high-impact operation, with a relatively small number of packages distributed across multiple registries but targeting environments containing high-value authentication and financial credentials.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
