The platform Socket has reported a supply chain attack targeting developers of cryptocurrencies and AI systems, aimed at stealing digital assets and data.
🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.io.
Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems.
TrapDoor targets… pic.twitter.com/0CI758NJ6T
— Socket (@SocketSecurity) May 24, 2026
On May 22, the firm identified a malicious campaign named TrapDoor. The attack involved more than 34 malicious packages and 384 associated versions. The perpetrators repeatedly released new variations across different ecosystems.
The malware targets developers of cryptocurrencies, DeFi, AI, and security systems. It steals wallet data, cloud service accounts, browser extensions, GitHub tokens, as well as SSH and API keys.
The attack includes popular cryptocurrency wallets such as Coinbase, Binance, Solana, Sui, Aptos, and MetaMask, as well as the Brave web browser.
Technical Details
The software embeds hidden instructions to “capture AI programming assistants” like Claude and Cursor.
“The goal is to trick LLM assistants into running a ‘security scan’ or a similar workflow that leads to the discovery and theft of secret information,” Socket reported.
TrapDoor specifically targets popular developer resources like npm, PyPI, and Crates.
Some npm packages installed a common module that searched for developers’ secret data. Attempts to establish persistence in the system through scheduler tasks, services, and autostart mechanisms were recorded.
In Rust packages, a search for local key stores was detected, followed by data transmission via GitHub Gists. In Python packages, code was loaded from an external domain and executed via Node.js, allowing behavior changes without publishing a new version.
Socket recommends considering environments with such packages installed as potentially compromised, changing keys and tokens, and checking the system for persistence mechanisms. Simply removing the software component is insufficient.
“The names of the malicious modules are crafted to appear as developer helpers, project setup tools, model routing utilities, prompt engineering packages, solutions for Solidity, or assistants for building Sui and Move,” Socket experts explained.
GitHub was used to distribute the malicious packages. The attack was carried out using AI.
The service itself was hacked on May 20, with hackers gaining access to 3,800 internal repositories.
In May, Anthropic published its first report on Project Glasswing — a vulnerability search program using the Claude Mythos model.