TrapDoor Malware Hijacks AI Coding Tools to Steal Crypto Wallets and Developer Credentials

TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO

A new coordinated cross-ecosystem software supply chain attack campaign has targeted npm, PyPI, and Crates.io to distribute credential-stealing malware. The campaign, codenamed TrapDoor, spans more than 34 malicious packages across over 384 versions. The earliest activity was recorded on May 22, 2026, at 8:20 p.m. UTC, with new packages published to the ecosystems in waves from a cluster of accounts in quick succession. "TrapDoor targets developers in crypto, DeFi, Solana, and AI communities," Socket said. "The malicious packages are designed to steal developer secrets, crypto wallets, SSH keys, cloud credentials, browser data, and environment variables." "Several npm packages also deploy a shared payload, trap-core.js, that scans for credentials, validates AWS and GitHub tokens, attempts SSH-based lateral movement, and plants persistence through .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH." It's worth noting that the activity has no connection to another campaign of the same name that HUMAN's Satori Threat Intelligence and Research Team detailed last week as engaging in ad fraud by distributing 455 Android apps through the Google Play Store. The list of identified packages is below - The operation is notable for its diverse delivery paths, using postinstall hooks, remote JavaScript payloads that are executed during package imports, and malicious build.rs scripts to target Sui and Move developers. The packages masquerade as seemingly harmless tools, giving attackers the ability to reach a broad audience. The npm packages have been found to run a JavaScript payload ("trap-core.js"), which scans for credentials and developer secrets, validates stolen credentials using AWS and GitHub API calls, and creates persistence on the host using cron jobs, systemd services, Git hooks, and moves across the network via SSH. The Rust crates, in a similar fashion, search for local keystores, encrypt the data using a hardcoded XOR key, and exfiltrate it to GitHub Gists. The packages are also noteworthy for the use of a build script ("build.rs") to trigger the execution of the malicious code. The Python packages associated with TrapDoor are designed such that they are auto-executed on import. The primary goal of the packages is to download JavaScript from an attacker-controlled GitHub Pages domain ("ddjidd564.github[.]io"), and run it using "node -e." "This technique allows the Python package to delegate execution to a remote JavaScript payload, giving the attacker more flexibility after publication," Socket explained. "By hosting the payload externally, the attacker can update behavior without publishing a new PyPI release." An unusual aspect of the campaign is the implanting of .cursorrules and CLAUDE.md containing hidden instructions to trick artificial intelligence (AI) assistants into running a "security scan" that results in secret discovery and exfiltration. This is achieved by opening GitHub pull requests (PRs) across popular AI and developer projects, including "browser-use/browser-use," "langchain-ai/langchain," and "langflow-ai/langflow." The PR activity indicates that TrapDoor extends beyond pushing malicious packages to open-source ecosystems. Socket said the threat actor is likely testing whether AI-related project files can be introduced through regular open-source contribution workflows, thereby causing AI coding tools to parse those hidden instructions and apply them. The findings once again demonstrate how threat actors are increasingly targeting developer workflows, aiming to steal a wide range of information that could make it possible to burrow deeper into target environments for follow-on attacks. "TrapDoor shows how attackers are combining traditional package typosquatting with newer developer-environment attack paths," Socket said. "The package names are tailored to appear relevant to crypto development, AI tooling, local environment setup, and security workflows. The malware then uses ecosystem-specific execution paths: build.rs in Rust, postinstall hooks in npm, and import-time execution in Python."

TrapDoor Malware Targets Crypto Developer Tools

Socket says a campaign of malicious packages is aiming to steal crypto and is injecting hidden instructions that hijack popular AI coding assistants. An active supply chain attack is targeting crypto and artificial intelligence developers in a bid to steal crypto, data or credentials, says the developer platform Socket. Socket said in a report on Sunday that it discovered the malware campaign, which it dubbed "TrapDoor," on Friday, and the campaign has deployed more than 34 malicious packages and 384 related versions, with attackers repeatedly pushing new releases across ecosystems. TrapDoor targets crypto, decentralized finance, AI, and security developers, stealing wallet data, Secure Shell, or SSH keys, cloud credentials, GitHub tokens, browser extension data and API keys, Socket said. The malware also targets popular crypto wallets, including Coinbase, Binance, Solana, Sui, Aptos, and MetaMask in addition to the Brave internet browser, Socket chief technology officer Ahmad Nassri said on Sunday. Nassri said the malware injects hidden instructions to "hijack your AI coding assistant," targeting Claude and Cursor. "The goal appears to be to trick AI assistants into running a 'security scan' or similar workflow that causes secret discovery and exfiltration," Socket said. Crypto and AI developers have increasingly become targets as malicious actors have been loading poisoned packages into "app stores" for developers, knowing they will install them as part of their normal workflow, often without checking. TrapDoor specifically targets popular developer resources such as npm (node package manager), the package store for JavaScript/Node.js developers, the language behind most websites and web apps. It was also found in PyPI, the equivalent for Python developers, which is widely used in data science, AI, and automation, and Crates, the same thing for Rust developers. Related: GitHub investigates unauthorized access to internal repositories The malicious package names are crafted to look like "development helpers, project setup tools, model routing utilities, prompt engineering packages, Solidity tooling, and Sui or Move build helpers," Socket said. "This gives the campaign broad reach across adjacent developer communities where crypto wallets, cloud credentials, GitHub tokens, and SSH keys are likely to be present," it added. Developer platform GitHub has been used to disseminate the malicious packages, Socket said, adding the attack appeared to be AI-assisted. "The GitHub activity shows signs of rapid, AI-assisted-style iteration: broad security-themed scaffolding, generic lure repositories, prompt-injection documentation, and partially implemented extraction concepts mixed with working malware components." GitHub itself was compromised on May 20 when it reported unauthorized access to its internal repositories following the compromise of an employee's device.