Blockchain security firm SlowMist has uncovered a supply chain attack campaign it calls 'TrapDoor' that targets developers active on Solana, in decentralized finance, and in AI. The campaign uses malicious code planted across multiple software registries to steal cryptocurrency wallet private keys, putting project funds at direct risk.
How the Attack Works
TrapDoor is a cross-registry supply chain attack, meaning it spreads through malicious packages hosted on several package managers and code repositories. When a developer installs a compromised dependency, the malware silently extracts private keys stored on that developer's machine. SlowMist identified the campaign during routine threat monitoring but has not disclosed the full list of affected packages or registries.
Who Is in the Crosshairs
The attackers are specifically targeting developers in the Solana ecosystem, DeFi protocols, and AI projects. These sectors tend to handle large amounts of cryptocurrency and often rely on rapid development cycles, which can lead to weaker security checks. The goal is to steal the private keys of developers who have access to project wallets, deployment accounts, or treasury funds.
What Developers Should Do Now
No official fix has been released, but standard supply chain security practices apply. Developers should audit their dependency trees for any recently added packages, especially from sources they don't regularly use. They should also verify package integrity checksums and consider isolating development environments from machines that hold private keys. SlowMist has shared threat indicators with its clients and is continuing to track the TrapDoor campaign.
The investigation is ongoing. Until SlowMist releases a full disclosure, any developer working with Solana, DeFi, or AI should treat every new dependency as a potential threat. This is a reminder that in crypto, your code is only as secure as the packages you import.
