- Trending
- Comments
- Latest
Security researchers have identified a malware campaign called TrapDoor that has spread across more than 34 malicious packages on npm, PyPI, and Rust’s Crates ecosystem, targeting crypto and AI developers to steal wallet credentials, GitHub tokens, SSH keys, and cloud access details.
According to a report published Sunday, 24th May 2026, the operation has already spread across major open-source ecosystems used by blockchain, DeFi, and artificial intelligence developers.
According to Socket’s findings, the attackers disguised the malware as ordinary development utilities, including project setup tools, Solidity frameworks, AI prompt-engineering packages, and software for Move- and Sui-based blockchain applications.
The report said the campaign specifically targeted developers connected to major crypto ecosystems and platforms linked to Coinbase, Binance, MetaMask, and Brave, alongside blockchain networks such as Solana, Sui, and Aptos.
Socket researchers also warned that some of the malicious packages deployed a shared payload known as trap-core.js, which scans infected systems for credentials, validates AWS and GitHub access tokens, and attempts lateral movement using SSH-based access methods.
One of the more alarming elements of the campaign is its reported use of prompt injection techniques aimed at AI coding assistants.
Researchers said the attackers attempted to manipulate tools such as Claude and Cursor by embedding hidden instructions into development workflows.
According to the report, the malware pushed fake “security scan” prompts designed to trick AI tools into exposing secrets and transmitting sensitive information back to the attackers.
GitHub repositories associated with the campaign reportedly showed signs of AI-assisted malware development, including automatically generated lure repositories and partially completed malicious components.
“TrapDoor targets developers in crypto, DeFi, Solana, and AI communities,” — Socket researchers, in a published security analysis.
The disclosure comes just days after GitHub confirmed that unauthorized actors had gained access to internal repositories after compromising an employee device on May 20.
The TrapDoor operation reflects a broader trend of increasingly sophisticated attacks aimed at cryptocurrency developers and infrastructure providers.
Security analysts have repeatedly warned that software supply chains and open-source ecosystems are becoming preferred entry points for attackers seeking access to wallets, private keys, and cloud environments.
The latest incident follows several high-profile malware campaigns targeting crypto users and developers through fake wallet applications, malicious browser extensions, and trojanized plugins.
Earlier research from cybersecurity firms also documented attacks that leveraged collaboration tools, fake Zoom meetings, and social engineering tactics to infiltrate crypto organizations.
For crypto investors and blockchain startups, the campaign underscores the growing operational risks tied to developer infrastructure and third-party dependencies.
With decentralized finance platforms and blockchain projects increasingly relying on open-source tooling and AI-assisted coding environments.
Cybersecurity researchers warn that attacks targeting developers could have downstream implications for wallets, smart contracts, and digital asset security.
Copyright © 2025 - The Bit Gazette.
