A coordinated supply chain attack named TrapDoor landed on npm, PyPI, and Crates.io in the final week of May 2026, pushing 34 malicious packages aimed squarely at Solana, Sui, and Aptos wallet keystores on developer machines. Detection was fast in some cases — under a minute — but the campaign ran for days before public disclosure. Here is what happened, what the exposure actually means, and the concrete steps to take today.
What Happened: 34 Packages, Three Registries, One Coordinated Hit
TrapDoor is a multi-registry supply chain campaign uncovered by Socket Security in late May 2026. Attackers pushed 34 malicious packages spanning 384 distinct versions across npm, PyPI, and Crates.io. The earliest confirmed artifact — eth-security-auditor 0.1.0 — appeared on PyPI on May 22, 2026 at 20:20 UTC .
Quick Answer: TrapDoor is a May 2026 supply chain attack that placed 34 malicious packages across npm, PyPI, and Crates.io to steal Solana, Sui, and Aptos wallet keystores from developer machines. Socket Security's fastest detection was 58 seconds post-publish , but packages circulated for days before public disclosure, potentially reaching 35,000+ repositories.
Packages rolled out in coordinated waves from attacker-controlled accounts. Socket's threat research team logged a median detection time of 5 minutes 27 seconds and a fastest catch of just 58 seconds post-publish . Public disclosure ran May 25–29, 2026 — a three-plus-day window during which packages reached an estimated 35,000+ repositories .
The naming strategy was deliberate: wallet-security-checker, defi-risk-scanner, sui-framework-helpers, move-compiler-tools. Each mimicked a plausible security or build utility — the kind a crypto or AI developer installs without a second look. That social engineering layer is what made the campaign effective despite rapid detection infrastructure.
| Registry | Sample Malicious Packages | Execution Trigger |
|---|---|---|
| npm | wallet-security-checker, defi-threat-scanner, llm-context-compressor |
postinstall hook → trap-core.js |
| PyPI | eth-security-auditor, defi-risk-scanner, env-loader-cli |
Import-time execution + remote payload fetch from ddjidd564.github.io |
| Crates.io | sui-framework-helpers, move-analyzer-build, move-compiler-tools |
build.rs script at Cargo compile time |
Why It Matters: Wallet Keystores Are the Target, Not Just Credentials
Most supply chain attacks settle for API keys or session tokens — assets that take time to monetize. TrapDoor went directly for the funds. Payloads explicitly hunted Solana, Sui, and Aptos wallet keystore files — three Layer-1 ecosystems central to DeFi and NFT development as of 2026 . Exfiltrated keystores give attackers immediate wallet access, no downstream monetization step required.
The full exfiltration scope from a compromised developer machine :
- Solana, Sui, and Aptos local wallet keystore files
- MetaMask and Phantom browser extension data
- SSH private keys and AWS IAM credentials
- GitHub personal access tokens
- Browser login databases and cookie stores (Chromium, Firefox)
.envfiles and local API keys- CI/CD pipeline configuration and git hook files
The C2 infrastructure used GitHub Pages and GitHub Gists to host payloads and stage exfiltrated data. The primary domain — ddjidd564.github[.]io — is a github.io subdomain that most corporate firewalls allowlist by default, meaning exfiltration traffic was unlikely to surface in SIEM alerts . PyPI packages fetched live payloads from this endpoint at import time, enabling malware updates without republishing — a clean evasion of version-scanning defenses.
"TrapDoor marks a clear escalation in supply chain attack scope: explicitly targeting blockchain wallet keystores alongside credentials, routing C2 traffic through GitHub's trusted infrastructure, and embedding AI assistant backdoors that survive package removal — developer machines are being treated as direct financial attack surfaces." — Socket Security Threat Research Team, published analysis May 2026 (source: Rescana TrapDoor Analysis)
Researchers also uncovered a novel persistence vector. The malware planted hidden directives using zero-width Unicode characters inside .cursorrules and CLAUDE.md project files. These invisible instructions were designed to manipulate AI coding tools — Cursor and Claude Code — into running fake "security scan" routines in future sessions, sustaining exfiltration even after the malicious packages themselves were removed . Full technical disclosure on this vector remained in progress as of May 29.
What to Do Right Now: Audit Checklist for Affected Developers
If any npm, PyPI, or Cargo package in the crypto or AI tooling space was installed on a machine between May 22–25, 2026, treat that machine as potentially compromised. As of May 31, no confirmed drain amounts or named victim organizations have been publicly disclosed — but absence of a public disclosure is not a clearance. Verify removal status directly with each registry; do not assume packages are gone.
Step 1 — Check lockfiles against the confirmed malicious package list:
- npm:
wallet-security-checker,defi-env-auditor,crypto-credential-scanner,solidity-build-guard,solidity-deploy-guard,prompt-engineering-toolkit,defi-threat-scanner,move-compiler-tools,llm-context-compressor - PyPI:
eth-security-auditor,cryptowallet-safety,defi-risk-scanner,env-loader-cli - Crates.io:
move-analyzer-build,sui-framework-helpers,move-compiler-tools
Step 2 — Rotate all credentials on any affected machine: SSH keys, AWS IAM roles, GitHub personal access tokens, browser session cookies, and every API key in .env files. This is non-negotiable if any package above appears in your install history.
Step 3 — Move blockchain funds immediately. Generate fresh Solana, Sui, and Aptos wallets on a clean, uncompromised machine and transfer all assets. If a keystore file existed on an affected machine during the exposure window, assume it was captured. Do not wait for drain confirmation before acting.
Step 4 — Inspect AI project config files for hidden Unicode. Open .cursorrules and CLAUDE.md in a hex-aware editor and search for zero-width characters (U+200B, U+FEFF, U+200C). Step 5 — Audit CI/CD pipelines: any postinstall hook or build.rs script added in May 2026 is suspect until verified. Check .git/hooks/ directories and shell profiles (.bashrc, .zshrc) for unfamiliar entries. As documented by Cybersecurity News, no attribution to a known APT has been made public as of May 31, 2026 — treat this as an active, ongoing campaign.
Frequently Asked Questions
Which wallets are at risk from the TrapDoor attack?
Solana, Sui, and Aptos wallet keystore files were the explicit targets. MetaMask and Phantom browser extension data were also within the exfiltration scope. Hardware wallets are not directly affected unless seed phrases or keystore backups were stored as software files on the compromised machine — in that case, those specific files may have been captured and should be treated as exposed.
How do I know if I installed a TrapDoor package?
Check your package-lock.json (npm), requirements.txt or Pipfile.lock (PyPI), and Cargo.lock (Crates.io) against the confirmed malicious package list in the audit section above. Look for install timestamps between May 22–25, 2026. Socket Security's advisory, as covered by CoinDesk, and GitHub security alerts are the most current references for the full package inventory.
Is TrapDoor still active as of May 2026?
Disclosure ran May 25–29, 2026, with packages still being pushed in waves from attacker-controlled accounts during that window. Socket reported all identified packages to npm, PyPI, and Crates.io for removal. Takedown completion must be verified directly with each registry's security advisories. Do not assume all malicious packages have been removed — treat this as an active campaign until registries publish full clearance confirmations.
Why did attackers use GitHub infrastructure for command-and-control?
GitHub Pages and GitHub Gists are trusted, widely allowlisted domains. Routing C2 traffic through github.io subdomains and gist.github.com significantly reduces the probability of triggering SIEM alerts compared to attacker-owned domains. Most organizations permit GitHub traffic by default, making it an effective and increasingly common evasion technique in advanced supply chain campaigns targeting developer environments.
Does this affect end-users who only hold crypto in wallets, not developers?
The TrapDoor attack vector requires installing a malicious package in a developer environment. Retail holders using hardware wallets or custodial exchanges — who never ran any of the listed packages — are not directly at risk from this specific campaign. However, developers who build and distribute crypto tools may have had their release pipelines compromised, creating potential secondary risk for downstream users of affected software.
What to Watch Next
Three signals to track: first, registry takedown confirmations from npm, PyPI, and Crates.io — absence of a formal confirmation is itself a risk signal. Second, Socket Security's follow-up technical disclosure on the AI coding assistant manipulation vector, which was still being fully documented at time of publication. Third, attribution — no known APT or nation-state actor has been linked to TrapDoor as of May 31, 2026 , but multi-registry coordination and GitHub-based C2 infrastructure narrow the likely actor profile considerably.
The structural takeaway is direct: developer machines are now primary financial attack surfaces in crypto. An attacker who exfiltrates a Solana or Aptos keystore gains immediate wallet access — no exchange breach, no protocol exploit required. Lockfile audits, dependency pinning, and install-hook review are no longer optional development hygiene. They are wallet security.
Last updated: 2026-05-31. Based on Socket Security's TrapDoor disclosure and reporting by CoinDesk, The Hacker News, and Unchained Crypto, published May 25–29, 2026. Attribution and full package removal status remain unconfirmed — verify directly with each registry before resuming normal dependency installs.
