Close Menu
Altcoin ObserverAltcoin Observer
  • Regulation
  • Bitcoin
  • Altcoins
  • Market
  • Analysis
  • DeFi
  • Security
  • Ethereum
Categories
  • Altcoins (3,594)
  • Analysis (3,698)
  • Bitcoin (4,324)
  • Blockchain (2,157)
  • DeFi (2,623)
  • Ethereum (2,758)
  • Event (119)
  • Exclusive Deep Dive (1)
  • Landscape Ads (2)
  • Market (2,714)
  • Press Releases (12)
  • Reddit (2,847)
  • Regulation (2,474)
  • Security (4,002)
  • Thought Leadership (3)
  • Videos (44)
Hand picked
  • XRPL Loan Proposal Opens Door to Institutional Credit on XRP Ledger
  • Bitcoin ETF Inflows Collapse After April Peak: $107 Billion Leaves US Crypto Products
  • Strategy Authorizes Sale of $1.25 Billion BTC Under New Monetization Plan
  • Stablecoin demand in Brazil explodes 158% year-over-year to $2.6 billion in May
  • Hyperliquid: Can Retail Demand Push HYPE to $70 Despite Whale Sales of $5.18 Million?
We are social
  • Facebook
  • Twitter
  • Instagram
  • YouTube
Facebook X (Twitter) Instagram
  • About us
  • Disclaimer
  • Terms of service
  • Privacy policy
  • Contact us
Facebook X (Twitter) Instagram YouTube LinkedIn
Altcoin ObserverAltcoin Observer
  • Regulation
  • Bitcoin
  • Altcoins
  • Market
  • Analysis
  • DeFi
  • Security
  • Ethereum
Events
Altcoin ObserverAltcoin Observer
Home»Security»TrapDoor malware targets data from Solana, Sui and Aptos wallets
Security

TrapDoor malware targets data from Solana, Sui and Aptos wallets

May 30, 2026No Comments
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Stake Banner

A new cryptocurrency theft campaign targets developers who likely have wallet keys, cloud credentials, and production access on their machines. Researchers at security firm Socket reported earlier this week that they had identified a supply chain attack called TrapDoor that was spreading across three major open source programming registries. The attack includes more than 34 malware packages with hundreds of versions and associated artifacts.

What you have to remember is that attackers are becoming more and more concentrated. Beyond social engineering that targets individuals with key information, supply chain attacks are not designed to catch random retail users but developers. These are precisely the people who can have wallet files, SSH keys, GitHub tokens, cloud credentials, and production access on the same machine they use to build crypto and AI tools.

Socket has not identified specific victims or stolen funds. But the company said the packages are available on npm, PyPI and Crates.io. These packages contained payloads capable of stealing wallet data, exfiltrating credentials, testing AWS and GitHub tokens, and leaving files to maintain active access.

Boring by design

The packages were programmed in JavaScript, Python and Rust. They were disguised as developer aids, security scanners, wallet tools, Solidity utilities, AI prompt packages, and Sui or Move build aids. The names were intentionally boring: “wallet-security-checker”, “defi-risk-scanner”, “solidity-build-guard”, “move-compiler-tools” and “llm-context-compressor”. It looked like the kind of little utility a crypto or AI developer might install without much thought.

However, once installed, the payloads attempted to extract much more than package data. In npm packages, the malware searched a developer’s machine for private keys, passwords, GitHub tokens, and cloud logins. It also tested some stolen credentials, attempted to move to other systems via SSH keys, and left behind files that could keep the infection active.

SSH keys are login files that developers use to access servers, code repositories, and other machines. If stolen, they can allow an attacker to move from a compromised laptop into a company’s broader infrastructure.

AI tools as attack vectors

The attack also uses files such as .cursorrules and claude.md, which allow developers to give project-specific instructions to AI coding tools. Socket said the campaign implemented hidden instructions using zero-width Unicode characters. These appear to be trying to get future AI assistant sessions to run fake “security scans” that collect and exfiltrate secrets.

This transformed the attack from a normal packet stealer into something closer to malware aimed at the development environment. Installing the package is just the first step. The real target is the desktop: wallets, repositories, browser data, cloud keys, SSH access, and whatever else the AI ​​coding tools will read next.

Rust packages used malicious build.rs scripts to run during compilation, targeting Sui and Move developers. PyPI packages executed JavaScript remotely during import. Packages on npm used post-installation hooks.

Socket said it reported the packages to relevant registries and classified the campaign packages as malicious. The company also warned that the attacker opened pull requests to AI and developer projects, attempting to add .cursorrules and CLAUDE.md files via normal open source contribution paths.

Loading



Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleDaily Crypto Discussion – May 14, 2026 (GMT+0)
Next Article Crypto News Today (May 28): Crypto Crash as BTC Nears $70,000 as Blackrock Dumps Over $500 Million in Bitcoin

Related Posts

Security

Success Story: Faraz Siddiqui’s Learning Journey with 101 Blockchains

June 30, 2026
Security

Vinny Lingham Says Saylor Could Hurt Bitcoin More Than FTX

June 29, 2026
Security

AstroX Finance and Magne.AI partner on Token-Mobile integration

June 29, 2026
Add A Comment
Leave A Reply Cancel Reply

Single Page Post
Share
  • Facebook
  • Twitter
  • Instagram
  • YouTube
Featured Content
Event

Dutch Blockchain Week 2026 strengthens position as Europe’s leading B2B blockchain event week

April 14, 2026

Amsterdam, April 2026 – Dutch Blockchain Week 2026 is rapidly evolving into one of Europe’s…

Event

Global Games Show Riyadh: The Ultimate Creator & Influencer Hub

March 31, 2026

The fast-evolving gaming ecosystem of Riyadh is powered by solid national investment, a flourishing esports…

1 2 3 … 82 Next
  • Facebook
  • Twitter
  • Instagram
  • YouTube

Bitcoin ETF Inflows Collapse After April Peak: $107 Billion Leaves US Crypto Products

July 1, 2026

Hyperliquid: Can Retail Demand Push HYPE to $70 Despite Whale Sales of $5.18 Million?

July 1, 2026

How Solana’s Growing Network Activity Can Push SOL Above $82

July 1, 2026
Facebook X (Twitter) Instagram LinkedIn
  • About us
  • Disclaimer
  • Terms of service
  • Privacy policy
  • Contact us
© 2026 Altcoin Observer. all rights reserved by Tech Team.

Type above and press Enter to search. Press Esc to cancel.

bitcoin
Bitcoin (BTC) $ 58,826.00
ethereum
Ethereum (ETH) $ 1,578.49
tether
Tether (USDT) $ 0.998658
bnb
BNB (BNB) $ 545.44
usd-coin
USDC (USDC) $ 0.99959
xrp
XRP (XRP) $ 1.05
solana
Solana (SOL) $ 75.18
tron
TRON (TRX) $ 0.316275
figure-heloc
Figure Heloc (FIGR_HELOC) $ 1.01
staked-ether
Lido Staked Ether (STETH) $ 2,265.05