A new malware <\/b>campaign named <\/span>TrapDoor<\/b> is targeting developers within crypto, DeFi, and AI ecosystems, including <\/span>Solana<\/b>, <\/span>Sui<\/b>, and <\/span>Aptos<\/b>. According to Socket Security (Socket) and the Cloud Security Alliance (CSA), this campaign has distributed over 34 malicious packages with 384 versions\/artifacts across npm, PyPI, and Crates.io since at least May 22, 2026, aiming to <\/span>steal wallet files<\/b>, developer credentials, and other secrets on developers\u2019 machines. This data could pave the way for attackers to compromise private repositories, cloud infrastructure, or development wallets of related projects.<\/span><\/p>\n TrapDoor is described as a <\/span>software supply chain attack <\/b>campaign targeting developer environments, rather than a direct exploit against Solana, Sui, or Aptos. Attackers publish fake packages to popular registries commonly used by developers. These packages are named similarly to legitimate tools like security scanners, wallet checkers, build utilities, or AI tooling, making them easy to be installed during the development process.<\/span><\/p>\n According to <\/span>Socket<\/span><\/a>, TrapDoor has appeared on npm, PyPI, and Crates.io with<\/span> over 34 <\/b>malicious packages and more than <\/span>384<\/b> associated versions\/artifacts. <\/span>CSA<\/span><\/a> stated that this group of packages includes 21 packages on npm, 7 packages on PyPI, and 6 packages on Crates.io. The first confirmed package was <\/span>[email\u00a0protected]<\/a><\/b>, uploaded to PyPI on May 22, 2026, at 20:20:18 UTC, while some infrastructure indicators suggest that preparation activities may have begun as early as May 19, 2026.<\/span><\/p>\nWhat Happened<\/b><\/h2>\n
![\"Token-usage-tracker](\"https:\/\/nftplazas.com\/wp-content\/uploads\/2026\/05\/HJF8_HrXsAAK64K.jpeg\")