The attackers behind TrapDoor went after more than wallets and passwords — they embedded hidden instructions inside packages designed to manipulate AI coding assistants.
According to security firm Socket, the goal was to trick tools like Claude and Cursor into running what appeared to be routine security scans, which would then quietly discover and send out secrets stored on a developer’s machine.
Socket, a developer security platform, detected the campaign on Friday and published its findings on Sunday. Reports say the operation had already pushed out more than 34 malicious packages and 384 related versions by the time it was uncovered, with attackers continuing to release new updates across multiple software ecosystems.
BREAKING: Active supply chain attack across npm, PyPI, and Crates.io.
Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems.
TrapDoor targets… pic.twitter.com/0CI758NJ6T
— Socket (@SocketSecurity) May 24, 2026
Wallets, Keys, And Cloud Credentials All At Risk
The malware cast a wide net. Socket said TrapDoor was built to steal data from several major crypto wallets — Coinbase, Binance, Solana, Sui, Aptos, and MetaMask — as well as the Brave browser. Beyond wallet data, the malware also went after SSH keys, cloud credentials, GitHub tokens, browser extension data, and API keys.
34 malicious packages across 384 versions were used to steal crypto wallets, SSH keys, cloud credentials, and developer secrets from crypto, DeFi, Solana, and AI environments.
The malware… pic.twitter.com/GJKcgUK9RK
— The Hacker News (@TheHackersNews) May 25, 2026
The campaign spread across three major developer package repositories: npm, which serves JavaScript and Node.js developers; PyPI, used widely in Python, data science, and automation work; and Crates, the package hub for Rust developers.
Package names were chosen carefully to look like standard tools — development helpers, project setup utilities, prompt engineering packages, and Solidity or Sui build helpers — making them easy to overlook during a routine install.
Socket’s chief technology officer Ahmad Nassri said on Sunday that the GitHub activity tied to the campaign showed signs of AI-assisted development, pointing to broad security-themed templates, generic lure repositories, and a mix of partially built extraction ideas alongside working malware components.
Signs Of A Larger, Coordinated Operation
The timing of the campaign raised questions given that GitHub had reported unauthorized access to its internal repositories on May 20, just days before TrapDoor was detected. That breach followed the compromise of an employee’s device, according to reports.
Socket described TrapDoor as a coordinated attack aimed squarely at crypto, decentralized finance, AI, and security developers — communities where sensitive credentials and wallet access are common.
The campaign gave attackers broad reach precisely because the targeted developer communities often work across the same tools and ecosystems.
Featured image from Unsplash, chart from TradingView
