TL;DR
Token Metrics technicals on APT read bullish as TrapDoor malware targets crypto developers. Socket Security flagged an active supply-chain attack that deployed more than 34 malicious packages across npm, PyPI, and Crates.io. The campaign specifically targets developers working with Aptos, Sui, and Solana, stealing wallet keystores, SSH keys, and cloud credentials. APT is trading near $0.99 and up about 3% on the day.
Context
Crypto developers are prime targets for supply-chain attacks. Their machines hold the keys to everything: wallet funds, cloud infrastructure, and Git repositories. The TrapDoor campaign is the latest threat in this area. Socket Security researchers found the attack on Sunday. They spotted malicious packages made to blend into normal developer work.
The attack uses standard package features to run bad code. This raises no red flags. Postinstall hooks in npm packages, Python import triggers in PyPI packages. Rust build.rs scripts in Crates.io packages all run during normal software installs. Developers can get infected just by adding what looks like a real dependency to their project.
The first bad package found was eth-security-auditor@0.1.0 on PyPI. It was uploaded on May 22 at 20:20 UTC. More bad releases followed across all three package registries through the weekend. Socket caught these packages fast. The median detection time was 5 minutes and 27 seconds after publication. This stopped the spread.
The data theft targets are comprehensive. The malware looks for SSH keys, wallet keystores for Sui, Solana and Aptos, AWS credentials. GitHub tokens, browser data, crypto wallet extension files, environment variables. API keys. It targets data from Coinbase, Binance, MetaMask, and Brave wallets. The companies themselves were not hacked.
The technical skill varies by platform. The npm version has a 1,149-line JavaScript file called trap-core.js. It uses Fernet and ECDH encryption. It checks stolen AWS and GitHub credentials through live API calls. This helps find high-value targets. Crates.io packages use simple XOR encryption with the key cargo-build-helper-2026. They send data to GitHub Gists.
The malware stays active through systemd services, cron jobs, Git hooks, and shell hooks. A smart feature targets AI coding assistants. It changes .cursorrules and CLAUDE.md files. It hijacks the same hooks developers use for tools like Cursor and Claude Code.
Security firm SlowMist issued warning SM-2026-352284. They compared TrapDoor to the npm worm Mini Shai-Hulud. All bad packages were reported to the registries for removal. The attacker’s GitHub page has a document. It calls the operation a Universal AI Agent Extraction Framework. The attacker might use AI to improve the malware.
What Token Metrics Data Shows
Data as of May 26, 2026. Token Metrics technicals on APT read bullish despite the security news. The trend is bullish and momentum is strong. The token moves with high volatility. APT trades near $0.99, up about 3% today and 6% this week. First support is near $0.86. Next resistance is around $1.18.
The next big event is a token unlock on Jun 12. This is the main fundamental event in the next 7 days. Token Metrics Daily Pulse called this a main items story. This shows its importance to the market. The malware news could cause short-term fear. But the technical picture shows buying pressure remains strong.
High volatility means traders expect big moves. The bullish trend shows they think the moves will be up. The token unlock adds more risk for APT traders. The momentum indicator confirms bullish momentum. While the momentum reading of 65 indicates the token is approaching overbought territory but still has room to run. The trend strength reading of 28.5 shows a strengthening trend, while the trend bias turning bearish suggests caution. Price positioning near the upper band confirms recent strength. The price range state indicates consolidation might be needed before the next leg up.
What’s New
The TrapDoor campaign is a coordinated supply-chain attack. It targets crypto development environments. Socket Security researchers found over 34 malicious packages. They were spread across three major package registries: npm for JavaScript, PyPI for Python, and Crates.io for Rust. These packages target developers working with Aptos, Sui, and Solana blockchains.
The attack gets its name from its method. It creates trapdoors in the software supply chain. These let attackers steal data automatically. The campaign is dangerous because it blends into normal developer work. It uses legitimate package features like postinstall scripts. So the malware runs with no clear warning signs.
The first malicious package, eth-security-auditor@0.1.0, went to PyPI on May 22. More bad releases followed through May 25. Socket’s detection caught them fast. The average response time was just over 5 minutes.
The malware targets data specific to crypto development. It steals wallet keystores for Aptos, Sui, and Solana. It also looks for SSH keys, AWS credentials, GitHub tokens, browser data, and crypto wallet extension files.
The npm payload shows advanced skills. It uses multiple encryption methods. It checks stolen credentials through live API calls. This helps find valuable targets. Persistence methods keep the malware active even after reboots. The attack also targets AI coding assistant setups. This shows knowledge of modern development practices.
The attacker called this a Universal AI Agent Extraction Framework. This might be an early version. More advanced attacks could come.
What to Watch
- Check package registry security advisories for npm, PyPI, and Crates.io. Look for new TrapDoor variants or similar attacks.
- Watch for news from Aptos, Sui, or Solana foundations. They may share security tips or respond to the TrapDoor campaign.
- Track APT’s technical momentum around the Jun 12 token unlock. High volatility could make security news have more impact.
- Monitor GitHub Gist repositories and data dump sites. Look for unusual dumps of wallet keys or dev credentials.
- Watch for more warnings from firms like SlowMist. Check for updates on alert SM-2026-352284 as more details emerge.
This information is for educational purposes only and should not be considered financial advice.
