Security researchers at Socket have uncovered a supply-chain attack dubbed 'TrapDoor,' targeting developers across npm, PyPI, and Crates.io with over 34 malicious packages. The campaign specifically aims to steal wallet data from blockchains like Solana, Sui, and Aptos, along with SSH keys, GitHub tokens, cloud credentials, and browser data.
The packages were disguised as developer tools, including names like 'wallet-security-checker' and 'move-compiler-tools,' designed to blend in. Once installed, the malware scanned machines for private keys, passwords, and credentials, tested stolen access, and left behind persistent backdoors.
Notably, attackers planted hidden instructions using zero-width Unicode characters in AI coding tool configuration files, potentially turning future AI sessions into data exfiltration tools. Socket has reported the packages to the affected registries and warns of ongoing open-source contribution attempts to spread the malware.