A coordinated malware campaign is actively targeting crypto and artificial intelligence developers, with attackers embedding malicious packages across three major developer ecosystems in an attempt to steal wallet data, cloud credentials, SSH keys, and browser information.
Developer security platform Socket discovered the campaign on Friday and published its findings on Sunday, naming the malware “TrapDoor.” In the short window since its detection, the campaign has already deployed more than 34 malicious packages and 384 related versions, with attackers continuously pushing new releases to stay ahead of detection.
What TrapDoor targets
The malware has been found across npm, the package registry used by JavaScript and Node.js developers, as well as PyPI, the equivalent for Python developers widely used in data science, AI, and automation, and Crates, the package store for Rust developers. Together, these three ecosystems represent a large share of active software development globally.
TrapDoor is designed to steal a broad range of sensitive data including crypto wallet credentials, SSH keys, GitHub tokens, cloud credentials, browser extension data, and API keys. It specifically targets popular crypto wallets including Coinbase, Binance, Solana, Sui, Aptos, and MetaMask, along with the Brave browser.
AI coding assistants used as attack vectors
One of the more technically sophisticated elements of TrapDoor is its ability to inject hidden instructions into AI coding assistants, specifically targeting tools widely used by developers. According to Socket CTO Ahmad Nassri, the malware is designed to trick AI assistants into running what appears to be a routine “security scan”, a workflow that then secretly discovers and exfiltrates sensitive credentials from the developer’s environment.
Socket described the campaign as appearing to be AI-assisted itself, noting that the GitHub activity behind the attack showed “broad security-themed scaffolding, generic lure repositories, prompt-injection documentation, and partially implemented extraction concepts mixed with working malware components”, a pattern consistent with rapid, AI-driven iteration.
Packages designed to blend in
The malicious packages were deliberately crafted with names that mimic legitimate developer tools, including development helpers, project setup utilities, model routing packages, prompt engineering libraries, Solidity tooling, and Sui or Move build helpers. The naming strategy gives the campaign broad reach across crypto, DeFi, AI, and security developer communities, all of whom are likely to have the exact credentials TrapDoor is hunting for.
GitHub has been used as a distribution channel for the malicious packages. The timing is notable, GitHub itself reported unauthorised access to its internal repositories on May 20, following the compromise of an employee’s device, adding a further layer of concern for developers relying on the platform.
A growing threat to developer supply chains
The TrapDoor campaign is part of a broader and accelerating pattern of supply chain attacks targeting the crypto and AI development communities. Rather than attacking end users directly, threat actors are increasingly poisoning the tools and package repositories that developers install as a routine part of their workflow, trusting them without scrutiny.
Developers working across crypto, DeFi, and AI are advised to audit their installed packages carefully, verify publisher authenticity, and treat any unexpected “security scan” prompts from AI coding assistants with immediate suspicion.
