A large malware attack called TrapDoor is targeting crypto developers through harmful packages uploaded on npm, PyPI, and Crates.io, according to cybersecurity firm Socket.
Researchers found 34 harmful packages and hundreds of infected versions made to steal crypto wallet data, SSH keys, API credentials, GitHub tokens, and cloud access info. The attack specifically targets developers working in crypto, DeFi, Solana, AI, and blockchain systems.
The harmful packages were disguised as normal development tools with names like “wallet-security-checker,” “defi-env-auditor,” and “cryptowallet-safety.”
Some packages ran malicious code automatically during installation, while others used Rust build scripts or Python imports to trigger hidden attacks.
Socket warned that the malware also tries to trick AI coding assistants by hiding harmful instructions inside .cursorrules and CLAUDE.md files using invisible Unicode characters.
Security researchers called the campaign one of the most advanced crypto-focused software supply-chain attacks to date. Developers who installed any affected packages have been told to immediately change passwords, replace SSH keys, check Git hooks and system services, and inspect development setups for unauthorized access.
The incident highlights the growing cybersecurity risks facing the crypto and AI development world, as attackers increasingly combine malware, open-source software, and AI trickery.
🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.io.
Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems.
TrapDoor targets… pic.twitter.com/0CI758NJ6T
— Socket (@SocketSecurity) May 24, 2026
You need to login in order to Like
Leave a comment