TrapDoor Malware Campaign Targets Crypto Developers Across Aptos, Sui, and Solana

A recent malware campaign has been discovered targeting crypto developers across various blockchain platforms, including Aptos, Sui, and Solana. The campaign, named TrapDoor, uses malicious packages published on npm, PyPI, and Crates.io to compromise developer environments and steal sensitive data.

The affected packages are designed to look like useful tools or helpers, making it difficult for developers to detect their malicious intent. Once installed, the malware can execute during install, import, or build, allowing attackers to gain access to wallet keys, deployment credentials, and production infrastructure.

TrapDoor's tactics include using postinstall hooks, build scripts, and AI injection to spread its payload. The campaign has already been reported to affected registries, but the larger lesson is that crypto developers are being targeted at the dependency, build, and AI-assistant layers, which sit closest to sensitive data.

To protect against this threat, developers should audit recent dependency installs, remove listed TrapDoor packages, rotate exposed SSH keys, revoke GitHub and cloud tokens, and inspect Git hooks and shell profiles. Additionally, teams using AI coding tools should check project instruction files for hidden or unexpected content.