Socket has reported a supply chain attack targeting developers of cryptocurrencies and AI systems, aimed at stealing digital assets and data.

🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.​io.

Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems.

TrapDoor targets… pic.twitter.com/0CI758NJ6T

— Socket (@SocketSecurity) May 24, 2026

On May 22, the firm identified a malicious campaign dubbed TrapDoor. The attack has spread over 34 malicious packages and 384 related versions. Attackers have repeatedly released new variations across various ecosystems.

The malware targets developers in cryptocurrency, DeFi, AI, and security systems, stealing wallet data, cloud service account information, browser extension data, GitHub tokens, as well as SSH and API keys.

The attack includes popular cryptocurrency wallets such as Coinbase, Binance, Solana, Sui, Aptos, and MetaMask, as well as the Brave web browser.

Technical Details

The software embeds hidden instructions to "capture AI programming assistants" like Claude and Cursor.

"The goal is to trick LLM assistants into initiating a 'security scan' or similar workflow that leads to the discovery and theft of sensitive information," Socket reported.

TrapDoor specifically targets popular developer resources like npm, PyPI, and Crates.

Some npm packages installed a shared module that searched for developers' secret data. Attempts to establish persistence through scheduled tasks, services, and autostart mechanisms have been documented.

Rust packages were found to search local key stores and subsequently send data via GitHub Gists. In Python packages, code was loaded from an external domain and executed via Node.js, allowing behavior changes without publishing a new version.

Socket recommends treating any environment with such packages as potentially compromised, changing keys and tokens, and checking the system for persistence mechanisms. Simply removing the software component is insufficient.

"The names of the malicious modules are crafted to resemble developer assistants, project configuration tools, model routing utilities, prompt engineering packages, Solidity solutions, or Sui and Move build assistants," Socket experts stated.

GitHub was used to distribute the malicious packages, and the attack was executed using AI.

The service was hacked on May 20, granting hackers access to 3,800 internal repositories.

In May, Anthropic released the first report on Project Glasswing—a vulnerability discovery program using the Claude Mythos model.