DEV Community: Andrew Gibbs

34 malicious packages discovered targeting Solana developers: Steals wallet credentials and SSH keys

Andrew Gibbs — Sun, 31 May 2026 22:10:58 +0000

Socket Security just published research on TrapDoor malware: 34 malicious packages targeting developers building on Solana, Aptos, and Sui. If you've installed any npm or PyPI packages from these ecosystems recently, your wallet may already be at risk even if nothing looks wrong yet.

How it works:

The packages execute on install. They silently harvest crypto wallet credentials, SSH keys, cloud credentials, browser-saved passwords, and environment variables — then exfiltrate everything to attacker infrastructure. The theft of your wallet doesn't happen immediately. Attackers wait for the right moment: a large deposit, a token unlock, a liquidity event.

Three things to do right now:

Check if your developer email appeared in an infostealer log: Stealer logs from infected machines are actively traded on criminal Telegram channels. If your email is in one, your credentials from that machine are compromised regardless of whether your wallet looks fine today

Audit your browser extensions: TrapDoor harvests browser data. Malicious extensions re-harvest credentials on every login after initial infection. Remove anything you don't actively use or can't verify

Move assets to a fresh wallet on a clean device if you installed packages from affected ecosystems in the last 30 days and can't confirm they were clean

The on-chain monitoring fires after the transfer is already out. The attack starts in your dev environment, not on the blockchain.

Full breakdown with remediation steps: https://medium.com/p/a4343023b319

Your Okta Is Only As Strong As Your SIM Card

Andrew Gibbs — Mon, 18 May 2026 21:32:52 +0000

Most security teams sleep well knowing MFA is enforced in Okta,
Azure AD, or Duo. Then someone ports an employee's phone number to
a burner SIM in under 10 minutes and the identity perimeter
unravels silently.

This is the SIM swap blind spot in enterprise identity. Almost
nobody is talking about it.

The attack chain

Attacker identifies target via LinkedIn
Calls carrier, provides scraped personal data (DOB, address, last 4 SSN — all available from prior breaches)
Carrier ports the number. Target loses mobile service.
Attacker hits the Okta portal, triggers SMS OTP or recovery
Code arrives on attacker's device. Session established.

Total time: under 30 minutes. No malware. No zero-day.

Where Okta and SMS intersect

SMS OTP as primary factor — Many Okta deployments enable SMS
because app-based authenticators create support tickets. If SMS is
an allowed factor, a SIM-swapped number gives the attacker a live
OTP delivery channel. Your policy is satisfied. Access granted.

Account recovery fallback — Even if primary MFA uses Okta
Verify or TOTP, recovery often falls back to SMS. That single
fallback path is all an attacker needs.

Downstream email compromise — Gmail and Outlook offer SMS
account recovery. SIM swap the employee → reset their Google
account → own the email Okta is registered to. Game over.

The carrier layer is outside Okta's scope

Okta, Microsoft, and Duo will tell you to use phishing-resistant
MFA. They're right. But the carrier layer is invisible to every
identity platform — always has been.

Detecting it with code

SIM swap detection requires querying carrier data directly. Here's
how to check whether a number has been ported before triggering
account recovery or a high-risk action:

REST API (Python)


python
import requests

def check_sim_swap(phone: str) -> dict:
    """
    Returns swapped (bool), swap timestamp, and current carrier.
    Call before any high-risk action gated by SMS-based auth.
    """
    response = requests.post(
        "https://xhh3tfrhng.execute-api.us-east-1.amazonaws.com/prod/v1/sim-swap",
        headers={"x-api-key": "YOUR_RAPIDAPI_KEY"},
        json={"phone": phone}
    )
    return response.json()

result = check_sim_swap("+14155551234")

if result.get("swapped"):
    print(f"⚠️  SIM swap detected at {result['swap_timestamp']}")
    print(f"   Current carrier: {result['carrier']}")
    # Block account recovery, alert security team
else:
    print("✓ No SIM swap detected — safe to proceed")

**MCP Server (for AI agents)**
If you're building agents that handle user identity or account
actions, add SIM swap detection as a pre-flight check:

pip install relayshield_mcp

from plugins.relayshield.relayshield_game_plugin import relayshield_functions
# Drop into any GAME agent worker — check_sim_swap is ready to call

**Where to gate it in your stack**
def okta_account_recovery_hook(user_phone: str) -> bool:
    """
    Pre-recovery hook — block if SIM swap detected in last 24hrs.
    Wire this into your Okta inline hook or recovery flow.
    """
    result = check_sim_swap(user_phone)

    if result.get("swapped"):
        # Log security event, require in-person verification
        security_alert(user_phone, result)
        return False  # Block recovery

    return True  # Safe to proceed

**What to fix right now**
**Audit factor enrollment** — find every Okta user with SMS
enabled
**Disable SMS as primary factor** — enforce Okta Verify or TOTP
**Harden recovery flows** — no SMS fallback for privileged
accounts
**Add detection** — query carrier data before account recovery
or high-risk actions
**Brief your help desk** — social engineering is the human
version of the same attack

**The bottom line**
Enterprise MFA is only as strong as its weakest factor. For most
organizations, that weakest factor is a phone number on a carrier
database that can be socially engineered in minutes.

The carrier layer is invisible to every identity platform. That's
the gap. Now you know where it is — and how to close it.

*SIM swap detection API: [RelayShield on RapidAPI](https://rapidapi.com/relayshielduser/api/relayshield-security-intelligence) — free tier available.*

5 Crypto Security Signals in One API Call — Wallet Risk, Token Honeypots, SIM Swap and More

Andrew Gibbs — Fri, 15 May 2026 14:12:03 +0000

If you're building a crypto app, a trading bot, a DeFi dashboard, or an AI agent that touches wallets or tokens, you need security signals baked in — not bolted on after something goes wrong.

RelayShield Security Intelligence is a single REST API that gives you:

Wallet risk scoring: Multi-chain (EVM, Solana, TON)
Token honeypot + rug pull detection: Before your users ape in
NFT contract risk scanning: Ownership, minting, verification flags
SIM swap detection: Live carrier-layer data via Twilio Lookup v2
Email breach checking: 13B+ compromised records

No SDKs. Plain JSON in, plain JSON out. Available on RapidAPI (subscription) or x402 USDC micropayments on Base (pay per call, no subscription needed).

Quickstart — Wallet Risk in Python

import requests

url = "https://relayshield-security-intelligence.p.rapidapi.com/v1/wallet-risk"

payload = { "address": "0xYourWalletAddress" }
headers = {
    "x-rapidapi-key": "YOUR_RAPIDAPI_KEY",
    "x-rapidapi-host": "relayshield-security-intelligence.p.rapidapi.com",
    "Content-Type": "application/json"
}

response = requests.post(url, json=payload, headers=headers)
print(response.json())

Works with EVM addresses, Solana public keys, and TON wallet addresses — the API auto-detects chain type.

Quickstart — Token Security (Honeypot Check)

payload = {
    "chain_id": "1",  # Ethereum mainnet — use 8453 for Base
    "contract_address": "0xTokenContractAddress"
}

response = requests.post(
    "https://relayshield-security-intelligence.p.rapidapi.com/v1/token-security",
    json=payload,
    headers=headers
)
print(response.json())

Returns honeypot status, buy/sell tax flags, ownership renounced, hidden owner, and more.

Pay Per Call with x402 (No Subscription Needed)

If you're building an agent or a low-volume integration and don't want a monthly subscription, the PAYG endpoints accept x402 USDC micropayments on Base:

Endpoint	Price
`/v1/payg/wallet-risk`	$0.15 USDC
`/v1/payg/token-security`	$0.10 USDC
`/v1/payg/nft-security`	$0.10 USDC
`/v1/payg/wallet-screen-batch`	$0.50 USDC (up to 10 addresses)
`/v1/payg/breach`	$0.10 USDC
`/v1/payg/sim-swap`	$0.25 USDC

x402 flow:

Call the endpoint with no payment header → receive 402 + PAYMENT-REQUIRED
Pay USDC on Base to the address in the response
Retry with X-PAYMENT header containing payment proof
API verifies via Coinbase x402 facilitator → returns result

Use Cases

DeFi dashboard: Screen every inbound token for honeypots automatically
Trading bot: Run wallet-risk on counterparties before executing swaps
AI agent: Give your Claude/GPT agent live security intelligence via MCP or direct API
Wallet app: Alert users when their SIM is swapped before their 2FA is compromised
Portfolio tracker: Flag high-risk wallets and scam tokens in real time

MCP Server (Claude / AI Agents)

If you're building with Claude or want to use these signals inside Claude Desktop:

pip install relayshield-mcp

Exposes all endpoints as native MCP tools — no API calls to write.

Links

RapidAPI listing (subscribe + test in browser): RelayShield Security Intelligence
API docs + landing page: relayshield.net
MCP package: pypi.org/project/relayshield-mcp

Built by a 25-year telecom security professional. Questions welcome in the comments.