Crypto Times Logo Black
Google News Follow Banner
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • DeFi News
    • Blockchain News
    • Industry
  • Exclusive
    ExclusiveShow More
    The Wall Around Mint Street: How the RBI Spent a Year Shutting Crypto Out of Indian Banking
    The Wall Around Mint Street: How the RBI Spent a Year Shutting Crypto Out of Indian Banking
    Michael Saylor’s Strategy
    Why Michael Saylor’s Strategy Is Selling Bitcoin After Years of Buying
    Anthropic’s Claude Fable 5 Crypto Hacks
    Anthropic’s Claude Fable 5: The AI That Could Supercharge Crypto Hacks and Defenses
    CLARITY Act Stalls Why Senate's August Recess Puts US Crypto Rules at Risk
    CLARITY Act Stalls: Why Senate’s August Recess Puts US Crypto Rules at Risk
    Three Stories, One Pattern Why Binance Is Having Its Worst Week Since the Pardon
    Three Stories, One Pattern: Why Binance Is Having Its Worst Week Since the Pardon
  • Opinion
    OpinionShow More
    The Bitcoin Treasury Blueprint What Stress Testing on Strategy Inc.’s MSTR-STRC Reveals
    The Bitcoin Treasury Blueprint: What Stress Testing on Strategy Inc.’s MSTR-STRC Reveals
    Why Wall Street is Divided Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    Why Wall Street is Divided: Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    The Arthur Hayes Paradox Macro Prophet or Market Opportunist
    The Arthur Hayes Paradox: Macro Prophet or Market Opportunist?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India's Digital Rupee Push?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India’s Digital Rupee Push?
    The CLARITY Act War Starts Jamie Dimon Vs Armstrong
    The CLARITY Act War Starts: Jamie Dimon Vs Armstrong
  • Learn
    • Explained
    • How To
    • Insights
  • Videos
  • More
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
The Crypto TimesThe Crypto Times
  • All News
  • Market
  • Bitcoin
  • Ethereum
  • Altcoins
  • Regulations & Policies
  • Blockchain
  • DeFi
  • Industry
  • Exclusive
  • Opinion
Search
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • Blockchain
    • DeFi
    • Industry
    • Exclusive
    • Opinion
  • Learn
    • Explained
    • How To
    • Insights
  • Quick Links
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
    • AI Policy
    • Sponsored & Advertorial Policy
  • Videos
  • Glossary
Follow US
© 2026 By Crypto Times. All Rights Reserved.
DeFi News

SlowMist Says TrapDoor is One of 2026’s Largest Supply Chain Attacks

The report said that researchers found 34 malicious packages and 384 infected versions targeting crypto, DeFi, Solana, Sui, and AI developers.

Written By Kenrodgers Fabian
Fact Checked by Dishita Malvania
Published 2026-05-28
Make The Crypto Times preferred on GoogleGoogle
Share
SlowMist Says TrapDoor is One of 2026’s Largest Supply Chain Attacks
Show AI Summary
Attackers inserted malicious code into installation and build processes, activating malware automatically upon dependency downloads
Over 34 malicious packages and 384 infected versions were uploaded to npm, PyPI, and Crates.io, targeting crypto and AI developers
Malware stole sensitive data, including SSH keys and AWS credentials, by disguising traffic as normal coding activity via trusted services

Cybersecurity researchers have uncovered a major software supply chain attack that targeted crypto and artificial intelligence (AI) developers across several popular open-source platforms. Security firm SlowMist said the campaign, known as “TrapDoor,” spread through malicious software packages uploaded to npm, PyPI, and Crates.io, exposing crypto wallets, cloud credentials, and sensitive developer access keys.

The warning came after security platform Socket first identified the operation on May 24. Researchers said attackers uploaded more than 34 malicious packages and 384 infected versions disguised as legitimate developer tools. The campaign mainly targeted teams building crypto, DeFi, Solana, Sui, and AI-related applications.

✍️We have released an in-depth technical analysis report on the #TrapDoor cross-ecosystem supply chain credential theft campaign.

TrapDoor was first disclosed by the @SocketSecurity on May 24. Subsequently, we conducted continuous threat hunting through our MistEye threat… https://t.co/dh3vGfuux2

— SlowMist (@SlowMist_Team) May 28, 2026

According to SlowMist, the attackers inserted hidden malicious code directly into the installation and build processes. Consequently, the malware activated automatically once developers downloaded dependencies or opened compromised projects inside coding environments. Researchers described the incident as one of the largest cross-platform supply chain attacks seen in 2026 because the same infrastructure operated across multiple programming ecosystems.

Attackers exploited trusted developer tools

SlowMist said the attackers used trusted developer services such as GitHub Pages, GitHub Gists, and webhook.site to disguise malicious traffic as normal coding activity. The malware reportedly stole SSH keys, browser session data, AWS credentials, crypto wallet files, and API tokens before sending the information to remote servers controlled by the attackers.

Researchers also found strong connections between the Python and npm versions of the malware through shared infrastructure linked to the domain ddjidd564.github.io. However, the Rust-based sample showed fewer similarities, even though it targeted many of the same crypto-focused developers.

According to SlowMist, the npm version appeared to be the most sophisticated part of the operation. Besides stealing credentials, the malware altered Git hooks, shell profiles, and files linked to AI coding assistants, including .cursorrules and CLAUDE.md. Researchers said the attackers also tried to spread malicious instructions through AI-assisted coding workflows using hidden zero-width characters and prompt injection methods.

AI coding assistants become a new security risk

Researchers warned that the campaign exposed growing risks for developers who increasingly depend on AI coding assistants in daily workflows. According to SlowMist, the malware carried hidden instructions designed to influence tools such as Cursor and Claude Code during future coding sessions, potentially allowing malicious behavior to spread beyond the initial infection.

The report said the attackers turned routine software package installations into long-term access points inside developer systems. Moreover, the malware quietly restored itself through shell scripts and Git-related operations without drawing attention from users.

SlowMist urged affected developers to rotate credentials immediately, remove compromised packages, and scan systems for indicators linked to the “P-2024-001” marker and associated domains. 

Also Read: HTX Says Frozen Funds Restored After “Technical Mishap” Sparks Chaos

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.

Follow The Crypto Times on Google News to Stay Updated!      Google News

TAGGED:BlockchainCrypto Hack
Share This Article
Whatsapp Whatsapp LinkedIn Telegram Copy Link

Latest News

LAB Price Crashes 54% Again as ZachXBT Links $18.3M Token Dump to Team
LAB Price Crashes 54% Again as ZachXBT Links $18.3M Token Dump to Team
Crypto Stocks MSTR, COIN, HOOD Slide as Bitcoin Holds $64K While Altcoins DEXE & Zcash Surge
Crypto Stocks MSTR, COIN, HOOD Slide, Bitcoin Holds $64K While Altcoins DEXE & Zcash Surge
Crypto Loses $35M in a Week BonkDAO, Bonzo Lend, Summer.fi Hacked
Crypto Loses $35M in a Week: BonkDAO, Bonzo Lend, Summer.fi Hacked
110 Things More Dangerous Than Spam Saylor Says BIP-110 Could Invalidate Bitcoin Transactions
“110 Things More Dangerous Than Spam”: Saylor Says BIP-110 Could Invalidate Bitcoin Transactions
Pakistan's Top Islamic Scholar Rules Bitcoin, Ethereum, and USDT Haram
Pakistan’s Top Islamic Scholar Rules Bitcoin, Ethereum, and USDT Haram

Find Us on Socials

You may also like

Hedera's Biggest DeFi Lender Bonzo Lend Hacked for $9M, $5.25M Bridged to Ethereum

Hedera’s Biggest DeFi Lender Bonzo Lend Hacked for $9M, $5.25M Bridged to Ethereum

Blockchain Association Proposes 11 Crypto Reforms to CFTC

On-Chain Investigator Flags BNB Chain's CodexField as a Potential $85M Rug Pull

On-Chain Investigator Flags BNB Chain’s CodexField as a Potential $85M Rug Pull

Relay Warns of Scam Tokens Vanishing on Robinhood Chain

Relay Warns of Scam Tokens Vanishing on Robinhood Chain

The Crypto Times Logo PNG

Providing real-time, accurate Crypto reporting. Your trusted source for Crypto News and Research.

Stay Updated

All News
Exclusive
Opinions
Learn
Videos
Glossary

Company

About Us
Our Authors
Editorial Policy
AI Policy
Advertorial Policy

Get In Touch

Contact Us
Career

Find Us on Socials

X-twitter Linkedin Telegram Youtube Instagram

© 2026 The Crypto Times | A BITROCK TECHNOLOGIES L.L.C. Company.

DMCA.com Protection Status
  • Terms and Conditions
  • Disclaimer
  • Privacy Policy
  • Cookie policy
Do Not Sell or Share My Personal Information