Cybersecurity experts have detected a large-scale malicious campaign, TrapDoor, targeting developers of blockchain projects associated with the Aptos, Sui, and Solana ecosystems. The attackers aim to steal SSH keys, cryptocurrency wallet data, and cloud credentials.
This is reported by Finway
Features of the TrapDoor Malicious Campaign
Specialists from Socket Security discovered over 34 malicious packages and more than 380 of their versions that were hosted in popular repositories such as npm, PyPI, and Crates.io. The attackers carefully disguised the malware as legitimate development tools in the fields of DeFi, artificial intelligence, and blockchain development.
Among the dangerous packages, researchers identified ones such as sui-framework-helpers, move-analyzer-build, and sui-move-build-helper, which were published through Crates.io. This software was intended for stealing SSH keys, files containing cryptocurrency wallets, GitHub tokens, AWS credentials, and authentication data from developers’ browsers.
Specific mechanisms were used for infection for each programming language and ecosystem: npm postinstall hooks, Python imports, and Rust build.rs scripts. This allowed for a wide range of targeted development environments.
Disguise and Attack Targets
The names of the malicious packages were chosen to imitate legitimate development tools in the fields of cryptocurrency, DeFi, and artificial intelligence. Examples of names include crypto-credential-scanner, wallet-security-checker, defi-env-auditor, and defi-risk-scanner. Experts believe this was done to attract developers working with sensitive data, such as cloud keys and wallets.
“At Socket Security, TrapDoor was characterized as a relatively small but effective operation. It is designed for targeted attacks against developers of cryptographic and DeFi applications.”
The earliest malicious package found by researchers was [email protected], uploaded to PyPI on Friday evening. New packages were published in waves through multiple accounts, complicating the detection of the campaign at an early stage.
Experts note that such attacks are becoming increasingly common. They attribute this to the growing interest of attackers in Web3 infrastructure, tools for developing blockchain applications, and artificial intelligence.