Developer security platform Socket has discovered an active supply chain attack targeting crypto and AI developers. The campaign, named TrapDoor, deployed over 34 malicious packages across 384 versions in three major package registries simultaneously. Socket detected the attack on Friday, May 23, and published a detailed report on Sunday, May 25, 2026.
How the Attack Works
TrapDoor hides malicious code inside libraries whose names mimic legitimate developer tools. The packages pose as project helpers, environment setup utilities, and tools for Solidity and Move. Socket found names such as "model routing utilities", "prompt engineering packages" and "Sui or Move build helpers" that blend naturally into real dependency lists of modern crypto and AI projects.
Once installed, the malicious code injects hidden instructions into AI coding assistants, including Claude and Cursor. The goal is to trick the assistant into running a fake "security scan" and sending discovered credentials to attacker-controlled servers. Where attackers once tried to bypass developers directly, they now target the developer's AI assistant instead.
Socket CTO Ahmad Nassri said the attack shows signs of AI-assisted development on the attacker side. Repositories on GitHub display hundreds of rapid iterations with minimal changes between versions. Socket described the campaign's GitHub activity as having broad security-themed scaffolding, generic lure repositories, and prompt-injection documentation mixed with working malware components.
That pattern points to generative tooling being used to keep each new version slightly different, making the campaign a moving target for automated detection systems.
Targets and Stolen Data
The campaign focuses on developers working in crypto, DeFi, AI and cybersecurity. Nassri listed specific wallet software targeted by the malware: Coinbase, Binance, Solana, Sui, Aptos and MetaMask, along with the Brave browser. Developers in these ecosystems typically store private keys, test tokens and CI/CD credentials on their work machines, making them high-value targets.
Socket explained the target selection: adjacent developer communities in crypto and AI tend to have wallets, cloud credentials, GitHub tokens and SSH keys all present on the same machine. A single successful install can yield far more than a typical phishing attack against an end user.
TrapDoor steals SSH keys, GitHub tokens, API keys, browser extension data and cloud service credentials. The malware also drains data from any installed crypto wallet software accessible from the compromised machine. The attack spans npm for JavaScript/Node.js, PyPI for Python and Crates for Rust, giving it reach across web development, data science and blockchain projects.
Disguise Tactics and Distribution
Attackers carefully chose package names to match real developer needs. Socket categorized the lures as "development helpers", "project setup tools", "Solidity tooling" and "Sui or Move build helpers". Each name fits naturally among typical dependencies in modern crypto or AI projects, making detection without active scanning difficult for most teams.
GitHub served as a distribution channel as well. Socket found lure repositories there containing scaffolding documentation and prompt injection files alongside working malware components. GitHub plays a dual role in this attack: a platform for hosting lure repositories and a path through which malicious packages eventually reach the npm, PyPI or Crates registries.
On May 20, GitHub separately reported unauthorized access to its own internal repositories after an employee's device was compromised. No direct link between the two incidents has been established, but both occurred within one week inside a critical piece of developer infrastructure.
Growing Wave of Attacks on Crypto Developers
Package repository attacks have become a regular tactic for groups focused on stealing from crypto developers. Attackers count on developers installing dozens of dependencies daily, rarely checking the source of each one. In large projects with hundreds of transitive dependencies, a malicious package is far easier to hide than in a small codebase.
These attacks are showing up more often in crypto and AI specifically because developers in those spaces typically have access to real assets and production systems from their development machines. That makes compromising a single workstation far more valuable to an attacker than targeting an average end user.
Socket urged developers to check for the identified packages in their own environments and remove them immediately. The company published the full list of 34 malicious packages in its May 25 report. Developers are also advised to rotate any tokens and keys stored on machines where packages from npm, PyPI or Crates were installed over the past several weeks.
Comments
Your email address will not be published. Required fields are marked *