The TrapDoor campaign aims to compromise developers in crypto, DeFi, AI, and security by deploying fake tooling packages that can pilfer wallets, SSH keys, GitHub tokens, cloud credentials, and browser information.
By Shaurya Malwa|Edited by Sheldon RebackUpdated May 29, 2026, 9:15 a.m. Published May 29, 2026, 8:19 a.m. 2 min readMake preferred on Another targeted attack, this time directed at programmers. (Boitumelo/Unsplash)Key Points:
- A newly uncovered supply-chain attack named TrapDoor has introduced over 34 malicious packages within npm, PyPI, and Crates.io, specifically targeting developers in crypto and cloud sectors.
- These packages, masquerading as ordinary developer utilities and security tools, were created to extract SSH keys, wallet files, AWS credentials, GitHub tokens, browser data, and other sensitive configuration files.
- According to researchers, the attackers manipulated AI configuration files like .cursorrules and CLAUDE.md with concealed commands, intending to hijack future AI coding sessions for running deceptive security scans that collect sensitive information.
A fresh campaign aimed at stealing crypto assets is focusing on developers who are likely to have wallet keys, cloud credentials, and access to production environments stored on their devices.
Experts from the security firm Socket revealed this week that they have detected a supply-chain attack termed TrapDoor, which has proliferated through three prominent open-source programming repositories, encompassing over 34 malicious packages along with numerous related versions and artifacts.
A significant observation is that attackers are honing in on their targets. Rather than casting a wide net to ensnare casual users, these supply-chain attacks are specifically crafted to target developers, who often possess wallet files, SSH keys, GitHub tokens, cloud credentials, and production access on the same machines they utilize for building crypto and AI applications.
Socket has not disclosed any information regarding victims or stolen assets, but mentioned that the malicious packages were active on npm, PyPI, and Crates.io, containing payloads capable of pilfering wallet data, extracting credentials, testing AWS and GitHub tokens, and leaving behind files to maintain ongoing access.
These packages, written in JavaScript, Python, and Rust, were disguised as developer aids, security scanners, wallet tools, Solidity utilities, AI prompt packages, and Sui or Move build helpers.
Designed to be Unremarkable
The package names were intentionally mundane. They included titles like "wallet-security-checker," "defi-risk-scanner," "solidity-build-guard," "move-compiler-tools," and "llm-context-compressor," resembling the sort of simple utilities that a crypto or AI developer might install without much scrutiny.
However, once installed, these packages attempted to extract significantly more than just package data.
Within the npm packages, the malware scanned a developer's device for private keys, passwords, GitHub tokens, and cloud logins. It also tested some pilfered credentials, sought to infiltrate other systems via SSH keys, and left behind files to sustain the infection.
SSH keys are critical login files that developers utilize to access servers, code repositories, and various systems. If compromised, they can allow an attacker to traverse from a single infected device into a company's broader infrastructure.
The attack also exploited files like .cursorrules and claude.md, which allow developers to provide project-specific directions to AI coding tools. Socket indicated that the campaign embedded concealed instructions using zero-width Unicode characters, seemingly attempting to orchestrate future AI assistant sessions to execute counterfeit “security scans” that would gather and exfiltrate sensitive information.
This transformed the attack from a standard package thief into something akin to malware designed for developer environments. The installation of the package is merely an initial step, with the primary objective being the workstation itself, including wallets, repositories, browser data, cloud keys, SSH access, and whatever AI coding tools may access next.
The Rust packages employed malicious build.rs scripts that executed during compilation, targeting developers using Sui and Move. Packages on PyPI executed remote JavaScript upon import, while npm packages utilized postinstall hooks.
Socket reported the malicious packages to the relevant registries and classified them as harmful. Additionally, the firm cautioned that the attackers attempted to submit pull requests to AI and developer projects in an effort to introduce .cursorrules and CLAUDE.md files through conventional open-source contribution methods.
HackMore For You
Why the Ethereum Foundation is suddenly again at the center of crypto’s culture war
By Margaux Nijkerk|Edited by Nikhilesh De14 hours agoIn this week's edition of The Protocol Newsletter, we're diving deep into the institution that has been the main steward for the Ethereum blockchain, and why its been back in the spotlight.
What to know:
Welcome to The Protocol, CoinDesk’s tech newsletter covering the most important stories in blockchain. I’m Margaux Nijkerk, a reporter at CoinDesk.
We’re revamping the newsletter to bring you a deeper look at the biggest trends, breakthroughs and debates shaping blockchain technology each week.
This week, we’re diving into why...
Read full storyLatest Crypto News