Socket Security just published research on TrapDoor malware: 34 malicious packages targeting developers building on Solana, Aptos, and Sui. If you've installed any npm or PyPI packages from these ecosystems recently, your wallet may already be at risk even if nothing looks wrong yet.
How it works:
The packages execute on install. They silently harvest crypto wallet credentials, SSH keys, cloud credentials, browser-saved passwords, and environment variables — then exfiltrate everything to attacker infrastructure. The theft of your wallet doesn't happen immediately. Attackers wait for the right moment: a large deposit, a token unlock, a liquidity event.
Three things to do right now:
Check if your developer email appeared in an infostealer log: Stealer logs from infected machines are actively traded on criminal Telegram channels. If your email is in one, your credentials from that machine are compromised regardless of whether your wallet looks fine today
Audit your browser extensions: TrapDoor harvests browser data. Malicious extensions re-harvest credentials on every login after initial infection. Remove anything you don't actively use or can't verify
Move assets to a fresh wallet on a clean device if you installed packages from affected ecosystems in the last 30 days and can't confirm they were clean
The on-chain monitoring fires after the transfer is already out. The attack starts in your dev environment, not on the blockchain.
Full breakdown with remediation steps: https://medium.com/p/a4343023b319
Top comments (0)