Solana, Sui and Aptos wallet data targeted in TrapDoor package attack
A supply-chain campaign called TrapDoor is targeting developers, especially those building crypto and AI tools, across npm, PyPI, and Crates.io. More than 34 malicious packages and many related versions were found. The packages were disguised as harmless utilities such as wallet checkers, Solidity tools, AI helpers, and Sui/Move build tools. After installation, they tried to steal private keys, passwords, GitHub tokens, cloud credentials, and SSH keys; test stolen credentials; and maintain persistence with leftover files. Some packages executed during installation or import, while Rust packages ran malicious build scripts. A notable tactic was planting hidden instructions in files used by AI coding tools, using zero-width Unicode characters to trigger fake security scans that exfiltrate secrets. The campaign also used normal open-source contribution paths, including pull requests, to insert malicious project files.
