Aptos, Sui, and Solana Developers Targeted by Coordinated Malware Campaign

A recent malware campaign, known as TrapDoor, has been identified targeting developers in the Aptos, Sui, and Solana ecosystems. Researchers from Socket Security have discovered that the malware injects malicious packages into code repositories, including npm, PyPI, and Crates.io, to steal sensitive data.

The TrapDoor malware is designed to search compromised computers for sensitive information, such as SSH keys, AWS credentials, GitHub tokens, browser login data, API keys, and crypto wallet files associated with Sui, Solana, and Aptos development environments. This data can be used to gain unauthorized access to cloud services, steal cryptocurrency, or compromise developer workstations.

The researchers have noted that the earliest releases of the malware were observed on Friday at 20:20 UTC, suggesting a coordinated attack rather than an opportunistic one. The TrapDoor campaign has also been found to manipulate AI coding assistants by adding hidden instructions into files commonly used by these tools. These instructions attempt to convince AI assistants to perform fake 'security scans' that expose sensitive local files and credentials.