‘TrapDoor’ malware targets crypto dev tools in supply chain attack

A supply chain attack dubbed TrapDoor is targeting developers in the crypto, AI, and security sectors to steal sensitive data, including wallet credentials, SSH keys, and GitHub tokens. Socket, a developer platform, reported discovering the campaign on May 25, 2026, after identifying over 34 malicious packages and 384 related versions across ecosystems like npm, PyPI, and Crates. The malware specifically infiltrates popular developer tools, mimicking legitimate packages such as development helpers, Solidity tooling, and prompt engineering utilities. It also targets major crypto wallets like Coinbase, Binance, Solana, Sui, Aptos, and MetaMask, alongside the Brave browser. Socket’s chief technology officer, Ahmad Nassri, noted the malware injects hidden commands to hijack AI coding assistants, including Claude and Cursor, under the guise of a 'security scan.' The attack leverages GitHub to distribute malicious packages, with activity patterns suggesting AI-assisted development, including generic repositories and partially implemented extraction concepts. Socket highlighted that the campaign exploits developer workflows, where trust in package managers often bypasses security checks. This attack follows a May 20 incident where GitHub reported unauthorized access to internal repositories due to a compromised employee device. The TrapDoor campaign underscores growing risks for developers in high-value sectors, where malicious actors exploit trust in open-source ecosystems to deploy sophisticated theft mechanisms.