TrapDoor Malware Campaign Steals Crypto and Credentials from Developer Tools

A sophisticated supply chain attack named TrapDoor targets crypto, AI, and DeFi developers by distributing malicious packages that steal wallets, keys, and cloud credentials.

Editorial Team · May 25, 2026 · 2 min read · Source: cointelegraph.com

A widespread malware campaign called TrapDoor is actively compromising developer tools used by crypto, decentralized finance (DeFi), and artificial intelligence (AI) communities. The attack infiltrates key ecosystems by distributing malicious packages designed to exfiltrate sensitive information such as cryptocurrency wallets, Secure Shell (SSH) keys, cloud account credentials, GitHub tokens, and API keys.

Discovered by the developer platform Socket, TrapDoor has deployed over 30 malicious packages and nearly 400 variants across major package repositories, including npm for JavaScript, PyPI for Python, and Crates for Rust. These repositories serve as central “app stores” where developers frequently download dependencies, often without scrutinizing the source code, making them vulnerable to such supply chain attacks.

The malware specifically targets wallets linked to major crypto platforms like Coinbase, Binance, Solana, Sui, Aptos, and MetaMask, in addition to the Brave browser. It also employs subtle tactics to manipulate AI coding assistants like Claude and Cursor, tricking these tools into performing workflows that expose sensitive secrets. The campaign’s malicious packages masquerade as legitimate developer helpers, ranging from Solidity and Sui build tools to prompt engineering utilities.

GitHub plays a significant role in this threat vector, having been used to distribute these packages or related code repositories. The attack exhibits characteristics of AI-assisted development methods, with rapid deployment cycles and partially implemented exfiltration features combined with functional malware components. This aligns with recent events where GitHub itself reported unauthorized access to internal repositories after compromising an employee’s device, pointing to a broader security risk within developer infrastructure.

TrapDoor exploits the trust developers place in widespread open-source ecosystems and the automation AI tools provide, revealing how attackers can leverage these assets to steal credentials and cryptocurrency assets. Increasing vigilance and thorough auditing of third-party dependencies are essential safeguards for developers operating in these high-risk sectors.