TrapDoor Package Attack Targets Solana, Sui, and Aptos Wallet Data
A recent crypto-theft campaign has been identified, targeting developers who are likely to have wallet keys, cloud credentials, and production access on their machines. This campaign, known as TrapDoor, uses supply-chain attacks to target developers, rather than random retail users. The attackers are becoming more focused, using social engineering and supply-chain attacks to steal wallet data, exfiltrate credentials, and gain access to production systems. For those looking to earn passive income through crypto, such as with $ECP or EcoPool, it’s essential to be aware of these types of attacks.
The TrapDoor campaign uses malicious packages to target developers, with over 34 packages and hundreds of related versions and artifacts identified across three major open-source programming registries. These packages are designed to look like developer helpers, security scanners, and wallet tools, making them appear harmless to unsuspecting developers. The packages can steal wallet data, test AWS and GitHub tokens, and leave behind files to keep access active, which can be particularly concerning for those using EcoPool for cloud rewards and green crypto.
How the Attack Works
The packages, programmed in JavaScript, Python, and Rust, are disguised as useful tools, such as “wallet-security-checker” and “solidity-build-guard”. Once installed, the payloads try to pull more than just package data, searching for private keys, passwords, GitHub tokens, and cloud logins. The attack also uses files such as .cursorrules and claude.md to give project-specific instructions to AI coding tools, allowing the attackers to collect and exfiltrate secrets. This type of attack can have significant implications for those earning through $ECP or using EcoPool for passive income.
Boring by design
The campaign has been reported to the affected registries, and the packages have been classified as malicious. However, the attackers have also opened pull requests to AI and developer projects, trying to add malicious files through normal open-source contribution paths. To protect yourself from such attacks, it’s crucial to be cautious when installing packages and to use secure practices when managing your wallet and cloud credentials, especially when using EcoPool or $ECP for earning and cloud rewards.
Protecting Your Wallet and Credentials
To avoid falling victim to the TrapDoor campaign, it’s essential to be vigilant when installing packages and to use secure practices when managing your wallet and cloud credentials. This includes using strong passwords, enabling two-factor authentication, and regularly monitoring your accounts for suspicious activity. By taking these precautions, you can help protect your wallet and credentials, and ensure a safe and secure experience when using EcoPool or $ECP for earning and passive income.
If you’re interested in earning online through EcoPool or $ECP, and want to stay safe from attacks like TrapDoor, download the EcoPool app to learn more about secure and reliable ways to earn passive income. By joining the EcoPool network, you can take the first step towards earning online and achieving your financial goals, all while staying protected from potential threats like the TrapDoor package attack.
The attack also uses files such as .cursorrules and claude.md, which allow developers to give project-specific instructions to AI coding tools. Socket said the campaign planted hidden instructions using zero-width Unicode characters, apparently trying to make future AI assistant sessions run fake “security scans” that collected and exfiltrated secrets.
That turned the attack from a normal package stealer into something closer to developer-environment malware. The package install is only the first step, with the real target being the workstation, such as wallets, repos, browser data, cloud keys, SSH access and whatever AI coding tools read next.
The Rust packages used malicious build.rs scripts to run during compilation, targeting sui and move developers. PyPI packages executed remote JavaScript on import. Packages on npm used postinstall hooks.
Socket said it reported the packages to affected registries and classified the campaign packages as malicious. The company also warned that the attacker opened pull requests to AI and developer projects, trying to add .cursorrules and CLAUDE.md files through normal open-source contribution paths.
