A coordinated supply chain attack is spreading malicious code across the developer ecosystems for Aptos, Sui Network, and Solana, with security researchers detecting 34 malicious packages and 384 versions designed to drain wallets and steal credentials.
Socket Security flagged the campaign, dubbed TrapDoor, across npm, PyPI, and Crates.io, with a median detection time of five minutes and 27 seconds. The fastest catch came 58 seconds after publication. Several packages remained live as of Sunday.
The attack targets crypto, DeFi, AI, and security developers. Once installed, the packages execute scripts that scan for SSH keys, wallet data, cloud credentials, GitHub tokens, browser profiles, environment variables, and API keys. Rust-based payloads on Crates.io specifically hunt for Sui and Move keystores, encrypt the data with a hardcoded XOR key, and exfiltrate to GitHub Gists. Python packages on PyPI auto-execute on import, download remote JavaScript from an attacker-controlled GitHub Pages domain, and run it via node. npm packages use postinstall hooks to pull down the same payload.
Persistence and Lateral Movement
TrapDoor establishes persistence through cron jobs, systemd services, and Git hooks. Stolen SSH keys enable lateral movement across developer networks. AWS and GitHub credentials expose private repositories, CI/CD pipelines, and deployment environments. The campaign validates stolen credentials in real time by calling AWS and GitHub APIs.
One novel vector: the malware implants .cursorrules and CLAUDE.md files with hidden instructions encoded in zero-width Unicode characters. The goal is to trick AI coding assistants, Cursor, Claude, into running what appears to be a security scan that silently exfiltrates secrets. Pull requests containing these payloads have appeared in repositories for browser-use, langchain-ai, and langflow-ai.
Same Playbook, New Scale
Supply chain attacks on package managers aren’t new, but TrapDoor combines typosquatting, ecosystem-specific execution hooks, and AI assistant injection in a single campaign. External payload hosting on GitHub Pages lets attackers update malicious behavior without publishing new package versions, complicating remediation.
Developers who installed suspicious packages should rotate AWS keys, GitHub tokens, and SSH keys immediately. Lockfiles deserve audits for unexpected version changes. AI configuration files, .cursorrules, CLAUDE.md, should be inspected for hidden characters. The campaign underscores a risk that’s been theoretical until now: AI development environments as part of the attack surface.
Your npm install is now part of your threat model. The package you trusted yesterday might be malware today.
