A widespread supply chain attack called 'TrapDoor' is targeting developers in the crypto and artificial intelligence space, aiming to steal cryptocurrency, data, or credentials.
Socket, a developer security platform, reported Sunday it discovered the active campaign on Friday. The attackers have deployed over 34 malicious packages and 384 related versions across multiple ecosystems, including npm, PyPI, and Crates.
The malware targets developers in crypto, decentralized finance, AI, and security by stealing wallet data, SSH keys, cloud credentials, GitHub tokens, browser extension data, and API keys. It specifically goes after popular crypto wallets like Coinbase, Binance, Solana, Sui, Aptos, and MetaMask, as well as the Brave browser.
Socket CTO Ahmad Nassri said the malware also injects hidden instructions to hijack AI coding assistants like Claude and Cursor, attempting to trick them into running a 'security scan' that causes secret discovery and data exfiltration.
The malicious packages are disguised as development helpers, project setup tools, and build helpers for Solidity, Sui, and Move. Socket noted the attack appears AI-assisted, with GitHub activity showing rapid iteration and prompt injection techniques. GitHub itself suffered a breach on May 20 when an employee's device was compromised, leading to unauthorized access to internal repositories.