Crypto Times Logo Black
Google News Follow Banner
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • DeFi News
    • Blockchain News
    • Industry
  • Exclusive
    ExclusiveShow More
    Michael Saylor’s Strategy
    Why Michael Saylor’s Strategy Is Selling Bitcoin After Years of Buying
    Anthropic’s Claude Fable 5 Crypto Hacks
    Anthropic’s Claude Fable 5: The AI That Could Supercharge Crypto Hacks and Defenses
    CLARITY Act Stalls Why Senate's August Recess Puts US Crypto Rules at Risk
    CLARITY Act Stalls: Why Senate’s August Recess Puts US Crypto Rules at Risk
    Three Stories, One Pattern Why Binance Is Having Its Worst Week Since the Pardon
    Three Stories, One Pattern: Why Binance Is Having Its Worst Week Since the Pardon
    Coinbase India Head Addresses Re-Entry Launch Glitches and the 12-Month Roadmap
    Coinbase India Head Addresses Re-Entry Launch Glitches and the 12-Month Roadmap
  • Opinion
    OpinionShow More
    The Bitcoin Treasury Blueprint What Stress Testing on Strategy Inc.’s MSTR-STRC Reveals
    The Bitcoin Treasury Blueprint: What Stress Testing on Strategy Inc.’s MSTR-STRC Reveals
    Why Wall Street is Divided Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    Why Wall Street is Divided: Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    The Arthur Hayes Paradox Macro Prophet or Market Opportunist
    The Arthur Hayes Paradox: Macro Prophet or Market Opportunist?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India's Digital Rupee Push?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India’s Digital Rupee Push?
    The CLARITY Act War Starts Jamie Dimon Vs Armstrong
    The CLARITY Act War Starts: Jamie Dimon Vs Armstrong
  • Learn
    • Explained
    • How To
    • Insights
  • Videos
  • More
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
The Crypto TimesThe Crypto Times
  • All News
  • Market
  • Bitcoin
  • Ethereum
  • Altcoins
  • Regulations & Policies
  • Blockchain
  • DeFi
  • Industry
  • Exclusive
  • Opinion
Search
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • Blockchain
    • DeFi
    • Industry
    • Exclusive
    • Opinion
  • Learn
    • Explained
    • How To
    • Insights
  • Quick Links
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
    • AI Policy
    • Sponsored & Advertorial Policy
  • Videos
  • Glossary
Follow US
© 2026 By Crypto Times. All Rights Reserved.
Blockchain News

TrapDoor Malware Hits npm, PyPI & Crates.io, Steals Crypto Wallets & SSH Keys

Security firm Socket says the “TrapDoor” campaign spread 34 malicious packages across npm, PyPI, and Crates.io to target crypto, DeFi, Solana, and AI developers by stealing wallets, SSH keys, and cloud credentials.

Written By Dishita Malvania
Published 2026-05-25
Make The Crypto Times preferred on GoogleGoogle
Share
TrapDoor Malware Hits npm, PyPI & Crates.io, Steals Crypto Wallets & SSH Keys
Show AI Summary
TrapDoor’s future impact may compromise sensitive tokens and credentials in crypto and DeFi communities
The attack’s scope is expanding beyond package registries to social engineering on platforms like GitHub
Developers in targeted ecosystems can expect increased vigilance and security measures to counter TrapDoor’s evolving tactics

A large-scale supply chain attack is tearing through three of the biggest open source package ecosystems, and it is going after crypto developers specifically.

Security firm Socket, which first flagged the campaign, is calling it “TrapDoor.” The operation spans 34 malicious packages and more than 384 versions and artifacts published across npm, PyPI, and Crates.io. At the time of Socket’s disclosure on May 24, some packages had already been pulled by registry maintainers while others were still live and downloadable.

The targets are not random. TrapDoor is designed to hit developers working in crypto, DeFi, Solana, AI, and security tooling, the exact communities where wallet keys, cloud credentials, and sensitive tokens are most likely sitting on local machines.

Socket shared the initial findings in a detailed blog post and broke the news on X with a post that called it a “BREAKING” active attack.

Update: We added more GitHub activity to our TrapDoor post and reported the attacker account to GitHub.

Beyond npm/PyPI/Crates.io packages, the account maintained payload/config infrastructure, published AI/security-themed lure repos, and seeded related activity into developer…

— Socket (@SocketSecurity) May 24, 2026

The Latest: Attacker activity goes well beyond package registries

In its most recent update, posted roughly 17 hours ago on X, Socket said it had expanded its TrapDoor investigation and reported the attacker’s GitHub account to the platform.

The key finding is that the attacker was not just pushing poisoned packages. The GitHub account behind TrapDoor also maintained payload and configuration infrastructure, published AI and security-themed lure repositories to attract developer attention, and planted issues and discussions promoting fake “security” workflows in legitimate developer communities.

Socket specifically called out an MCP-style repository named “env-security-scanner,” along with multiple DeFi and security-themed lure repos, as examples of this broader activity. The attacker was essentially building a web of credibility around the malicious packages, making them look like they belonged in a developer’s toolchain.

How the attack unfolded

The first package Socket spotted was eth-security-auditor@0.1.0 on PyPI, uploaded on May 22, 2026, at 20:20:18 UTC. From that point, things moved fast. The attacker published packages in rapid waves throughout the weekend across all three registries, using a small set of accounts to flood the ecosystem.

The package names were picked carefully to look like normal development tools. On npm, names like token-usage-tracker, wallet-security-checker, defi-env-auditor, prompt-engineering-toolkit, and llm-context-compressor were designed to blend right into a developer’s dependency list without raising suspicion. On Crates.io, the campaign zeroed in on Sui and Move developers with packages like sui-move-build-helper and move-compiler-tools. On PyPI, names like cryptowallet-safety and defi-risk-scanner followed the same playbook.

In total, Socket identified 21 npm packages, 7 PyPI packages, and 6 Crates.io packages linked to TrapDoor.

What gets stolen

The list of data TrapDoor goes after is long and alarming. According to Socket’s analysis, the malicious packages are designed to harvest SSH keys, Sui, Solana, and Aptos wallet data, AWS credentials, GitHub tokens, browser profile data and login databases, crypto wallet extension data, environment variables, API keys, and local development configuration files.

That is not just a credential grab. Stolen SSH keys can be reused for lateral movement into CI/CD pipelines, private repositories, and deployment infrastructure. Cloud and GitHub credentials can expose entire organizations.

Three ecosystems, three attack methods

Each ecosystem gets its own tailored execution path.

On npm, the packages use postinstall hooks. The moment you run npm install, a shared payload called trap-core.js fires up. It is a 1,149-line credential harvester that scans for secrets, validates stolen AWS and GitHub tokens through live API calls to check if they are still active, and then digs in for the long haul. 

The persistence mechanisms include .cursorrules files, CLAUDE.md files, Git hooks, shell hooks, systemd services, cron jobs, and SSH-based lateral movement. One package, dev-env-bootstrapper, functions as both malware and a delivery vehicle, helping spread malicious configuration into other developer environments.

On Crates.io, the attack abuses build.rs, which runs automatically during Rust compilation. Before a developer ever runs a single line of the package’s actual code, the build script has already located local keystores, encrypted the data using a hardcoded XOR key, and shipped it off to GitHub Gists.

On PyPI, the packages auto-execute on import, download JavaScript from an attacker-controlled GitHub Pages domain, and run it through node -e. This approach lets the attacker update the payload remotely without ever pushing a new version to PyPI.

The AI angle: Poisoning developer assistants

One of the more striking elements of TrapDoor is how it weaponizes AI coding tools.

The campaign plants hidden instructions inside .cursorrules and CLAUDE.md files using zero-width Unicode characters. These files are commonly used to give project-specific guidance to AI assistants like Cursor and Claude Code. The hidden directives attempt to trick the AI into running what looks like a “security scan” but is actually a data exfiltration routine.

Socket noted that the technique may not work consistently across all tools or models, but the fact that it is being actively deployed signals a new front in supply chain attacks. Developers are now dealing with the possibility that their AI assistants could be turned against them.

Attacker opens pull requests on LangChain, LlamaIndex, MetaGPT, and more

The campaign did not stop at package registries. The same GitHub account, ddjidd564, opened pull requests on several high-profile AI and developer projects, including browser-use/browser-use, langchain-ai/langchain, langflow-ai/langflow, run-llama/llama_index, FoundationAgents/MetaGPT, and OpenHands/OpenHands.

The PRs tried to add .cursorrules or CLAUDE.md files under innocent-sounding titles like “docs: add .cursorrules with dev standards and build verification.” Several referenced the campaign marker P-2024-001 and framed the changes as coding standards or build verification guidelines.

GitHub flagged at least one of these PRs for containing hidden or bidirectional Unicode text. The strategy is clear: get malicious configuration merged into popular open source projects where AI tools will read and follow the embedded instructions.

An entire playbook found in the open

In a somewhat unusual discovery, Socket researchers found an AUDIT-MATRIX.md document inside the attacker’s GitHub Pages repository. The file describes the operation as a “Universal AI Agent Extraction Framework” and lays out a staged workflow for capability detection, data extraction, self-replication, and telemetry reporting.

The document’s “disguise layer” section maps credential theft actions to benign-sounding tasks like security audits, wallet safety checks, and cloud configuration validation. It is, in effect, a blueprint for making data theft look like routine developer tooling.

Socket cautioned that the document describes itself as partially implemented, but the concepts it outlines match the behaviors observed in the live npm payloads.

How fast was it caught?

Socket says it detected TrapDoor releases with a median detection time of 5 minutes and 27 seconds across 381 package-version records. The fastest detection happened just 58 seconds after a malicious package was published.

All identified packages have been classified as malicious, and Socket has reported them to the affected registries. The firm is tracking the campaign on a dedicated page.

What developers should do right now

Anyone working in crypto, DeFi, Solana, Sui, Move, or AI development should check their dependencies immediately against the full list of malicious packages published by Socket. 

If any of these packages made it into your environment, treat it as a full compromise. Rotate all credentials, SSH keys, API keys, and wallet keys. Check for unauthorized systemd services, cron jobs, Git hooks, and shell hooks on your machine. Review any. cursorrules or CLAUDE.md files in your projects for hidden Unicode characters.

The TrapDoor campaign is a reminder that supply chain attacks are no longer just about sneaking a bad package past a registry. Attackers are now building entire ecosystems around their malware, complete with lure repositories, community engagement, AI assistant manipulation, and pull requests against some of the most-watched projects in open source. For crypto developers, the stakes could not be higher.

Also Read: Weekly Wrap: LayerZero Admits $292M Flaw, Bitcoin ETF Sell-Off, Cross-Chain Hacks Grow

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.

Follow The Crypto Times on Google News to Stay Updated!      Google News

TAGGED:Crypto Hack
Share This Article
Whatsapp Whatsapp LinkedIn Telegram Copy Link

Latest News

How Ethereum's AI Agents Are Finding Real Security Vulnerabilities
How Ethereum’s AI Agents Are Finding Real Security Vulnerabilities
MARA Stock Jumps 11% After Texas Power Site Acquisition Deal
MARA Stock Jumps 11% After Texas Power Site Acquisition Deal
LAB Burns 1% of Token Supply After 90% Price Collapse
LAB Burns 1% of Token Supply After 90% Price Collapse
Solana Policy Institute Pushes CFTC to Rethink Crypto Rules
Solana Policy Institute Pushes CFTC to Rethink Crypto Rules
Relay Warns of Scam Tokens Vanishing on Robinhood Chain
Relay Warns of Scam Tokens Vanishing on Robinhood Chain

Find Us on Socials

You may also like

LAB Adds Robinhood Chain Support Amid Rising Network Activity

LAB Adds Robinhood Chain Support Amid Rising Network Activity

Robinhood Chain Sees 70x Jump in ETH Bridging After Mainnet Launch

Robinhood Chain Sees 70x Jump in ETH Bridging After Mainnet Launch

Did Binance Change How It Freezes Stolen Crypto DOJ Memo Sparks Debate

Did Binance Change How It Freezes Stolen Crypto? DOJ Memo Sparks Debate

World Bets on Robinhood Blockchain After Leaving Solana

World Bets on Robinhood Blockchain After Leaving Solana

The Crypto Times Logo PNG

Providing real-time, accurate Crypto reporting. Your trusted source for Crypto News and Research.

Stay Updated

All News
Exclusive
Opinions
Learn
Videos
Glossary

Company

About Us
Our Authors
Editorial Policy
AI Policy
Advertorial Policy

Get In Touch

Contact Us
Career

Find Us on Socials

X-twitter Linkedin Telegram Youtube Instagram

© 2026 The Crypto Times | A BITROCK TECHNOLOGIES L.L.C. Company.

DMCA.com Protection Status
  • Terms and Conditions
  • Disclaimer
  • Privacy Policy
  • Cookie policy
Do Not Sell or Share My Personal Information