Loading prices…
🩸BEARISH

TrapDoor Attack Plants 34+ Malicious Packages in npm, PyPI,

The real target isn't a developer's wallet file — it's the workstation, where SSH keys, AWS credentials, GitHub tokens and live AI coding sessions all sit on the same machine.

TrapDoor Attack Plants 34+ Malicious Packages in npm, PyPI,
TrapDoor Attack Plants 34+ Malicious Packages in npm, PyPI,
TrapDoor Attack Plants 34+ Malicious Packages in npm, PyPI,
TrapDoor Attack Plants 34+ Malicious Packages in npm, PyPI,

Researchers at security firm Socket disclosed a supply-chain campaign called TrapDoor this week, identifying more than 34 malicious packages spread across npm, PyPI and Crates.io, with hundreds of related versions and artifacts. The packages were disguised as mundane developer tooling — names like "wallet-security-checker," "defi-risk-scanner," "solidity-build-guard" and "move-compiler-tools" — and were specifically themed to attract Solana, Sui, Aptos, DeFi, AI and security developers holding real credentials on their build machines.

Once installed, payloads ran across the three ecosystems in different ways: Rust packages used malicious build.rs scripts to execute during compilation, targeting Sui and Move developers; PyPI packages executed remote JavaScript on import; npm packages used postinstall hooks. The malware searched developer machines for private keys, wallet files, GitHub tokens, AWS credentials and SSH keys, tested stolen credentials, and dropped files designed to keep access active for follow-on movement into company infrastructure.

Why it matters

Supply-chain attacks are built to catch the people most likely to hold the keys, not random retail users. The TrapDoor packages were themed to crypto and AI engineers specifically because those developers tend to have wallet files, SSH keys, GitHub tokens, cloud credentials and production access sitting on the same machine they use to build. Stolen SSH keys in particular can let an attacker pivot from a single compromised laptop into a company's wider infrastructure.

The campaign also abused AI configuration files such as .cursorrules and CLAUDE.md, planting hidden instructions using zero-width Unicode characters. The aim was to make future AI coding assistant sessions run fake "security scans" that collected and exfiltrated secrets — turning a package stealer into developer-environment malware where the package install is only the first step.

Market impact

Socket said it reported the packages to the affected registries and classified the campaign as malicious, but did not name identified victims or stolen funds.

Related tokens
$SOL $APT $SUI

Frequently asked questions

  1. What is the TrapDoor supply-chain attack?

    TrapDoor is a supply-chain campaign disclosed by security firm Socket that planted more than 34 malicious packages across npm, PyPI and Crates.io, disguised as developer utilities themed to crypto, DeFi, AI and security tooling.

  2. What did the TrapDoor packages actually steal?

    The packages searched developer machines for wallet files, private keys, SSH keys, GitHub tokens, AWS credentials and browser data, tested stolen credentials against live services, and dropped persistence files for follow-on access.

  3. How did the packages target Solana, Sui and Aptos developers specifically?

    Package names were chosen to look like routine tooling those developers might install — "solidity-build-guard," "move-compiler-tools" and similar — while the Rust payloads used malicious build.rs scripts that ran during compilation to target Sui and Move workflows.

  4. What is the .cursorrules and CLAUDE.md angle in the TrapDoor attack?

    Attackers planted hidden instructions inside AI configuration files using zero-width Unicode characters, aiming to make future AI coding assistant sessions run fake "security scans" that exfiltrated secrets from the developer's environment.

  5. Has anyone confirmed losses from the TrapDoor campaign?

    Socket said it reported the packages to the affected registries and classified them as malicious, but did not name specific victims or quantify stolen funds. The attacker also opened pull requests against AI and developer projects to widen distribution through normal open-source contribution paths.

Source attribution
Aggregated from CoinDesk · Verified · Last refreshed 48d ago
Open original →