Security firm Socket disclosed the campaign, which it named TrapDoor, this week. The attack spans 384 or more package versions published to npm, PyPI, and Crates.io, three registries widely used by Web3 developers working in JavaScript, Python, and Rust. The earliest confirmed malicious upload dates to May 22, 2026, though Socket believes activity began as early as May 19. The packages are engineered to steal cryptocurrency wallet files, SSH keys, cloud credentials, and browser data from infected developer machines.

What the Malware Steals

According to Socket's research, TrapDoor functions as a credential harvester rather than ransomware. Once installed, it searches the developer's machine for wallet keystores tied to Solana, Sui, and Aptos, along with browser extension data from MetaMask, Coinbase, and Binance. It also pulls AWS credentials, GitHub tokens, API keys, and login databases from Brave browser profiles. The Rust-based variants on Crates.io use a malicious build script and encrypt stolen data with the hardcoded XOR key cargo-build-helper-2026 before sending it out.

Named packages identified by researchers include token-usage-tracker, prompt-engineering-toolkit, eth-wallet-sentinel, and sui-sdk-build-utils on npm, and eth-security-auditor on PyPI.

"The malicious packages are designed to steal developer secrets, crypto wallets, SSH keys, cloud credentials, browser data, and environment variables," Socket's research team stated in its disclosure.

The AI Assistant Angle

One of the more technically novel elements of TrapDoor is its use of poisoned configuration files to manipulate AI coding assistants. Attackers planted hidden instructions inside .cursorrules and CLAUDE.md files, which are project-level config files read by the Cursor and Claude Code AI tools, respectively. The hidden text uses zero-width Unicode characters to conceal the malicious instructions from human review while remaining legible to AI systems. The goal, according to Socket, is to trick an AI assistant into running what appears to be a routine security scan, which in practice triggers exfiltration of the developer's secrets.

To test and distribute these poisoned files, a GitHub account identified as ddjidd564 submitted pull requests to well-known open-source AI projects including LangChain, MetaGPT, and OpenHands. Socket also reported that a GitHub employee device breach on May 20, 2026 was reportedly used in the campaign to distribute malicious packages.

"[The attack] attempts to trick AI assistants into running a 'security scan' or similar workflow that causes secret discovery and exfiltration," Socket's research team said.

Why These Ecosystems

Solana, Aptos, and Sui are not arbitrary targets. All three saw substantial developer growth in 2024, according to Electric Capital's annual developer report. Solana led all blockchain networks globally in new developer acquisition that year. Aptos and Sui each brought in more than 1,000 new developers, driven largely by Move language adoption and active grant programs. Developers recruited through grants, hackathons, and bounty programs are precisely the profile most likely to install unfamiliar packages from community repositories.

Socket detected TrapDoor uploads with an average response time of 5 minutes and 56 seconds, with a fastest detection of 58 seconds after publication. Despite that speed, the window between upload and detection remains a meaningful exposure period for any developer pulling in a new dependency.

Regional Exposure: India and Nigeria at Elevated Risk

The regional footprint of TrapDoor's target ecosystems concentrates risk outside the United States. India is the second-largest source of crypto developers globally, accounting for 11.7% of total developer share according to Electric Capital. Indian developers are heavily active in the Solana ecosystem, working in JavaScript and TypeScript, which maps directly to the npm packages TrapDoor is targeting. Community infrastructure like Superteam India runs active hackathons and grant bootcamps in Bangalore, Hyderabad, Pune, and Delhi, creating exactly the high-velocity coding environment where unverified packages get installed.

Nigeria presents a comparable exposure profile. The country is Africa's top Solana developer hub and ranked sixth globally in Solana developer share in Q1 2026. SuperteamNG-backed developers secured $65,779 in bounties and $88,500 in Solana Foundation grants in that quarter alone. SuperteamNG's 16-week developer bootcamp produces cohorts of newer developers who are more likely to install packages from unfamiliar sources and more likely to rely on AI coding tools to fill skills gaps, making both TrapDoor vectors directly relevant.

Broader Campaign Context

TrapDoor is one of at least three cross-registry campaigns targeting crypto developers that Socket has tracked in 2026. On March 31, a compromise of the widely used axios npm package was attributed to Sapphire Sleet, a North Korean state-backed threat group, prompting a formal CISA advisory. A separate credential-harvesting campaign catalogued as SANDWORM_MODE used at least 19 malicious npm packages distributed through stolen npm and GitHub identities.

Socket recommends that developers working on Solana, Aptos, or Sui projects audit their dependency trees immediately, review any recently cloned project files for unusual Unicode characters in .cursorrules or CLAUDE.md configurations, and rotate SSH keys, cloud credentials, and API tokens as a precaution. Socket's full package list is available in its public disclosure.