TrapDoor Malware Infects 34 Dev Packages, Stealing Crypto Keys and Wallets

34 malicious packages planted across three registries

Security company Socket identified a coordinated supply chain attack on 22 May 2026. Researchers found 34 malicious packages spanning 384 versions across npm, PyPI, and Crates.io. The campaign, named TrapDoor, targeted developers in crypto, decentralised finance (DeFi), and artificial intelligence (AI). The earliest confirmed package, eth-security-auditor@0.1.0, appeared on PyPI on 22 May 2026 at 20:20 UTC. The campaign distributed 21 packages across npm, seven on PyPI, and six on Crates.io. Packages used deceptive names such as prompt-engineering-toolkit, solidity-deploy-guard, and defi-threat-scanner.

SSH keys, wallets, and cloud credentials all targeted

TrapDoor used a different execution method in each registry. In npm, postinstall hooks ran a 1,149-line JavaScript payload named trap-core.js. In PyPI, packages fetched and executed a remote script from GitHub Pages on import. In Crates.io, malicious build.rs scripts exfiltrated local crypto keystores using XOR encryption.

Stolen data included Secure Shell (SSH) keys, wallet data from Coinbase, Binance, Solana, Sui, Aptos, and MetaMask. Cloud credentials, GitHub tokens, browser login databases, and API keys were also in scope. The Crates.io component targeted Sui and Move developers. It extracted wallet keystores from local storage.

Attacker turned AI coding tools into credential theft agents

The attacker poisoned two project configuration files: .cursorrules, used by the Cursor editor, and CLAUDE.md, used by the Claude coding assistant. Zero-width Unicode characters hid malicious commands within both files. When an AI coding tool read either file, it executed what appeared to be a routine security scan. The scan exfiltrated developer credentials to the attacker's infrastructure. The campaign also submitted poisoned pull requests to AI projects LangChain, MetaGPT, and OpenHands.

"hijack your AI coding assistant", 25 May 2026. — Ahmad Nassri, CTO, Socket

Socket detected all 34 packages in under six minutes

Socket flagged all 34 packages in under six minutes on average after each was published. The fastest individual detection took 58 seconds. The attacker operated from a single GitHub account — ddjidd564 — hosting payloads at ddjidd564.github.io. The campaign carried the internal marker P-2024-001. Socket reported no confirmed count of infected developer environments at the time of publication. Registry maintainers at npm, PyPI, and Crates.io received reports of all 34 packages.