TrapDoor malware crypto developers face 34+ poisoned packages across npm, PyPI, Rust

A new supply-chain threat is putting one of crypto’s most trusted habits under pressure: installing everyday coding tools. Researchers say the TrapDoor malware crypto developers need to watch for is spreading through fake packages that look routine, then quietly siphoning off wallet data, API keys, cloud credentials, and SSH access.

That matters because the targets are not random users clicking suspicious links. Instead, this campaign is aimed at developers working in cryptocurrency, DeFi, artificial intelligence, and security infrastructure, where a single exposed credential can open the door to wallets, repositories, cloud systems, and internal environments.

Socket, the developer security platform tracking the activity, said the operation has already moved through more than 34 malicious developer packages across npm, PyPI, and Rust ecosystems, affecting at least 384 connected versions. As a result, the scale points to a broad attempt to poison the software supply chain at the point where developers are most likely to trust what they install.

How the TrapDoor malware spreads through developer tools

TrapDoor malware crypto developers are being warned about uses a deceptively simple method. Attackers disguise poisoned packages as common development utilities, making them look like tools a programmer might grab during an ordinary work session.

According to Socket’s findings, the malicious packages appeared across npm, PyPI, and Rust ecosystems. That gave the campaign reach into JavaScript, Python, AI, automation, and blockchain development communities at the same time.

The packages were presented as familiar helpers, including tools tied to project setup, model routing, Solidity frameworks, prompt engineering, and build workflows for Sui and Move-based applications. In other words, the campaign did not rely on exotic bait. It leaned on the normal rhythm of software development.

This is why the TrapDoor campaign stands out as more than another isolated infection. A supply chain attack works by abusing trust already built into open-source workflows. Instead of breaking through a company’s perimeter, attackers wait for developers to pull the malware inside themselves.

Who the campaign targets and what it steals

The most sensitive targets in this operation are the people with keys, tokens, and infrastructure access.

Socket said the attack uses malicious developer packages to steal:

• wallet data
• API keys
• cloud credentials
• SSH access
• GitHub tokens
• browser data

The campaign focused on developers in crypto, decentralized finance, artificial intelligence, and security infrastructure. Those roles tend to sit close to high-value systems, which makes them attractive targets even when the end goal is not immediately visible.

Among the named services and ecosystems linked to the targeting are Coinbase, Binance, MetaMask, Brave, Solana, Sui, and Aptos. However, the reporting does not confirm that those companies or platforms were directly compromised. The safer takeaway is that wallets and platforms connected to those brands were part of the attacker’s focus.

That distinction matters. In crypto, developer access can be as valuable as customer access, sometimes more so. A stolen wallet credential or repository token can create downstream risks that spread far beyond one machine, especially when teams manage infrastructure, smart contract tooling, or exchange-related integrations.

Why AI coding assistants are now part of the attack surface

One of the most striking parts of the TrapDoor campaign is how it appears to push beyond credential theft and into AI-assisted coding workflows.

Ahmad Nassri, Socket’s chief technology officer, said the malware also attempts to manipulate coding assistants such as Claude and Cursor by injecting hidden prompts into development workflows. Socket said the attackers appear to be trying to get AI tools to perform fake “security scans” that expose secrets and send them back to the operators.

That is a notable shift. The attack is no longer just about a developer accidentally installing a bad package. It also appears designed to influence the tools developers increasingly rely on to review code, automate tasks, and move faster.

If that approach gains traction, the implications are bigger than one malware family. It suggests attackers are starting to treat AI coding assistants as another pathway into sensitive environments, especially in crypto and infrastructure teams where prompts, scripts, and automation often touch production systems.

Why this matters for crypto and AI teams

The TrapDoor malware crypto developers are dealing with highlights a painful reality for modern software teams: convenience is now part of the threat model.

Open-source repositories and package managers are essential to building quickly. AI coding tools are becoming just as embedded. When attackers combine fake utilities with prompt manipulation, they are attacking two pillars of modern development at once.

That raises the stakes for crypto teams in particular. Wallet tooling, chain integrations, deployment scripts, signing infrastructure, and cloud environments often live close together. Consequently, a compromise in one part of that stack can quickly become much more than simple wallet data theft.

GitHub’s separate incident adds to the pressure

Socket also said GitHub repositories linked to the operation showed signs of AI-assisted development activity, including rapidly generated lure repositories, partially completed malware components, and prompt-injection documentation built around security themes.

Separately, GitHub disclosed on May 20 that unauthorized actors accessed internal repositories after an employee device was compromised. That incident should not be conflated with TrapDoor, but its timing adds to a broader sense of pressure around developer infrastructure and internal code environments.

The overlap is less about direct connection and more about what it says about the moment. Code repositories, package registries, collaboration tools, and AI helpers are all becoming contested spaces.

A wider pattern is taking shape

TrapDoor does not exist in isolation. It fits a growing run of attacks aimed at crypto professionals through the tools they use every day.

Recent research from Elastic Security Labs described a separate campaign using the Obsidian note-taking app to target cryptocurrency and finance professionals with malware called PHANTOMPULSE. CertiK, meanwhile, warned in April about North Korea-linked Lazarus Group tactics involving fake Zoom meetings, compromised Telegram accounts, and social engineering against crypto executives and fintech workers.

Those are distinct operations, not evidence that the same actors are behind TrapDoor. Still, together they point in the same direction: attackers are increasingly going after trusted workflows instead of brute-forcing their way in.

For crypto firms and AI-focused developer teams, that means the battleground has shifted. The next major breach may not begin with a dramatic exploit. It may start with a package name that looks helpful, a tool that feels familiar, or an AI prompt that appears to be doing exactly what it was asked.