The Socket platform reported a supply chain attack targeting cryptocurrency and AI developers. Its objective is to steal digital assets and data.
🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.io.
Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems.
TrapDoor targets… pic.twitter.com/0CI758NJ6T
— Socket (@SocketSecurity) May 24, 2026
On May 22nd, the company identified a malicious campaign named TrapDoor. Within this attack, over 34 harmful packages and 384 associated versions were disseminated. The perpetrators repeatedly introduced new variations across different ecosystems.
The malicious software is aimed at developers of cryptocurrencies, DeFi, AI, and security systems. It pilfers data from wallets, cloud service accounts, browser extensions, GitHub tokens, as well as SSH and API keys.
The attack encompasses popular cryptocurrency wallets, including Coinbase, Binance, Solana, Sui, Aptos, and MetaMask, along with the Brave browser.
Technical Details
The software integrates hidden instructions to “hijack AI programming assistants” like Claude and Cursor.
“The goal is to trick LLM assistants into running a ‘security scan’ or similar workflow, which results in the discovery and theft of secret information,” Socket reported.
TrapDoor specifically targets popular developer resources such as npm, PyPI, and Crates.
Some npm packages installed a shared module that searched for developers’ sensitive data. Attempts to establish persistence within the system via scheduler tasks, services, and autorun mechanisms were recorded.
In packages for Rust, the detection of local key storage followed by data exfiltration via GitHub Gists was identified. For Python packages, code was downloaded from an external domain and executed via Node.js, allowing for behavioral changes without publishing a new version.
Socket advises considering an environment with such packages as potentially compromised, performing key and token rotation, and verifying the system for persistence mechanisms. Simple removal of the software component is insufficient.
“The names of the malicious modules are crafted to resemble developer assistants, project configuration tools, model routing utilities, prompt engineering packages, Solidity solutions, or assistants for compiling Sui and Move,” stated Socket experts.
GitHub was utilized for the distribution of malicious packages. The attack was executed with the assistance of AI.
The service itself was breached on May 20th, with hackers gaining access to 3800 internal repositories.
Recall that in May, Anthropic published the first report on Project Glasswing, a vulnerability discovery program utilizing the Claude Mythos model.