Hackers secretly targeted crypto and AI developers using TrapDoor malware, stealing wallets, credentials, SSH keys, and sensitive company network access data.
A sneaky cyberattack is targeting software developers. Specifically, it is dedicated to individuals who are involved in cryptocurrency and AI. The attack was discovered on Friday by a company called Socket. They then published a report about it on Sunday. The malware campaign was dubbed “TrapDoor” by Socket.
The attack involves over 34 malicious packages. It also has 384 related versions on npm, PyPI, and Crates.io. These are websites where developers can download useful tools and code.
🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.io.
Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems.
TrapDoor targets… pic.twitter.com/0CI758NJ6T
— Socket (@SocketSecurity) May 24, 2026
In other words, hackers hid their dangerous software inside tools that developers already trust. For instance, packages were disguised with names such as “solidity-deploy-guard” and “defi-threat-scanner.
Furthermore, attackers continued to release new fake packages over the weekend. They uploaded them in waves on all three platforms. This made it much more difficult to trace and quickly neutralize the attack.
What TrapDoor Steals From Developers
Once the developer installs a fake package, the malware is immediately at work. It does not steal just one thing. Instead, it goes after everything it can find on the computer.
Examples of targeted data are SSH keys, crypto wallets, AWS cloud credentials, GitHub tokens, and browser login databases. These are similar to a master key for a person’s entire digital existence. In addition, stolen SSH keys are then used to gain further access into a developer’s network. This means that a single infected machine can be a gateway to a company.
Related Reading: Coinbase Faces Legal Case Over Frozen Crypto Linked to $55M Hack | Live Bitcoin News
TrapDoor also employs a very peculiar technique. In particular, the attackers hide instructions in the project files with invisible characters. This fools AI assistants such as Cursor and Claude Code into conducting pretend “security scans. Those fake scans then covertly steal developer secrets. Even so, the attack looks completely normal from the outside.
Also, attackers made requests to add code to popular open-source projects. They inserted harmful files in order to make sure that those projects would be harmful to anyone who copied them. This is just how broad and cunning the trap was.
How Fast Was the Attack Caught?
Fortunately, Socket’s security systems responded very quickly. The median detection time was only 5 minutes and 27 seconds. In fact, the quickest detection was only 58 seconds after a package was published. By any standards, that’s a pretty quick turnaround.
However, fast detection does not mean everyone is safe. The campaign had been quietly gathering steam since at least May 19. The attackers unleashed wave after wave of releases over the long weekend. So, some packages might have been downloaded before anyone marked them as unsafe.
Those who installed any of these tools in that time may already be vulnerable. As a result, experts are urging developers to check their recently installed packages carefully. Any suspicious activity should be investigated right away.
Moreover, attackers embedded malicious code in packages that developers use on a daily basis. This is what makes TrapDoor so deadly. It fits in seamlessly with regular work.
Finally, it is a serious warning to the developer community. Tools that appear to be perfectly safe can be dangerous. Most importantly, developers need to remain vigilant, verify their tools, and be aware of any potential data breaches. The best protection against attacks such as this is to be careful.
