TrapDoor malware targets crypto dev tools in 34 packages

TrapDoor malware has hit crypto development tools through more than 34 poisoned packages, Socket Security said in a May 22 report, bringing software supply-chain risk back into view for teams working around Aptos, Sui and Solana.

Socket described TrapDoor as a spread of malicious packages across npm, PyPI and Crates.io, the registries developers use to pull code into applications. The firm said the set covered 384 related versions and was built to steal credentials and wallet data from developer environments. This was not the usual retail scam built around a fake airdrop link.

The market message is narrower, but not harmless. Developer machines sit upstream of smart contracts, wallets, trading tools and infrastructure services. A poisoned dependency can pass through build pipelines before anyone sees an exploit on-chain.

Socket said the earliest package it observed was eth-security-auditor@0.1.0, a PyPI module published at 20:20 UTC on May 22. The name follows a familiar supply-chain tactic: choose something that sounds useful to security teams or blockchain developers, then rely on hurried installations, typo-driven downloads or automated dependency pulls.

The campaign drew crypto-market attention because Aptos, Sui and Solana were named in connection with the packages. Socket’s research, however, described distribution through general-purpose developer registries rather than a single chain’s official infrastructure. That makes attribution to one ecosystem difficult. It also pushes the risk perimeter beyond chain-specific incident dashboards.

Why the toolchain matters

Crypto security coverage usually begins with stolen private keys, bridge hacks or compromised exchange accounts. TrapDoor points to an earlier layer: the workstation, package manager and build script used before code reaches a wallet or protocol. Socket said the malware was designed to collect sensitive data from those environments, including authentication tokens, wallet material and other secrets if developers keep them exposed locally. For teams that move funds through automated deployments, that local exposure can matter long before a user signs a transaction.

Speed is part of the problem. Socket said its median detection time for the TrapDoor packages was 5 minutes and 27 seconds after publication, short by open-source standards but still enough time for automated tooling to pull a dependency into a project. For crypto teams shipping under market pressure, a bad package does not need weeks online if the right build system grabs it once.

For investors, the immediate read is not that Aptos, Sui or Solana suffered protocol-level breaches. The available research points instead to shared infrastructure risk across crypto development, where package registries used by Web2 and Web3 teams alike become attack surfaces. That is harder to price than a single exploit because it sits below token tickers and chain-specific incident dashboards.

The next checks fall to exchanges, wallet providers, validators and application teams that rely on open-source dependencies. Teams can quarantine named packages after a report, but the wider defense is process: pin versions, scan new dependencies, isolate build secrets and treat developer laptops as part of the security perimeter. In crypto, the next market-relevant breach may start before a transaction ever reaches a chain.