Security experts from Socket Security have discovered a large-scale malicious campaign called TrapDoor, targeting developers in the blockchain ecosystems of Aptos, Sui, and Solana. The aim of this campaign is to compromise the development environments of cryptographic applications by stealing SSH keys, cryptocurrency wallet files, and cloud credentials.
This is reported by Business • Media
Features of the TrapDoor Malicious Campaign
Experts report that the attackers have placed over 34 malicious packages and more than 384 of their versions in popular repositories such as npm, PyPI, and Crates.io. Researchers have particularly noted packages like sui-framework-helpers, move-analyzer-build, and sui-move-build-helper, which were published through Crates.io. The TrapDoor software was designed to steal critical data, including SSH keys, cryptocurrency wallet files, GitHub tokens, AWS credentials, and browser authorization databases from developers’ computers.
Various mechanisms were used for infection depending on the programming languages and ecosystems: npm postinstall hooks, Python imports, and build.rs scripts for Rust. This allowed the malware to disguise itself as legitimate tools within the software ecosystem.
Disguise and Naming of Malicious Packages
Researchers noted that the attackers carefully selected package names to resemble genuine development tools in the fields of artificial intelligence, DeFi, and blockchain. Examples of names cited by Socket Security include crypto-credential-scanner, wallet-security-checker, defi-env-auditor, and defi-risk-scanner. This tactic allowed TrapDoor to remain unnoticed in the developer environment, where cloud keys, wallet data, and other confidential information are often stored.
The earliest detected package, [email protected], was uploaded to PyPI on Friday evening. Experts note that new malicious packages appeared in waves through various accounts, complicating their timely detection and blocking.
“At Socket Security, TrapDoor was characterized as a relatively small but effective operation. It is designed for targeted attacks against developers of cryptographic and DeFi applications.”
Experts also warn that similar campaigns are becoming increasingly common amid the rising interest of attackers in Web3 infrastructure, artificial intelligence tools, and blockchain application development.
