A new cryptocurrency theft campaign targets developers who likely have wallet keys, cloud credentials, and production access on their machines. Researchers at security firm Socket reported earlier this week that they had identified a supply chain attack called TrapDoor that was spreading across three major open source programming registries. The attack includes more than 34 malware packages with hundreds of versions and associated artifacts.
What you have to remember is that attackers are becoming more and more concentrated. Beyond social engineering that targets individuals with key information, supply chain attacks are not designed to catch random retail users but developers. These are precisely the people who can have wallet files, SSH keys, GitHub tokens, cloud credentials, and production access on the same machine they use to build crypto and AI tools.
Socket has not identified specific victims or stolen funds. But the company said the packages are available on npm, PyPI and Crates.io. These packages contained payloads capable of stealing wallet data, exfiltrating credentials, testing AWS and GitHub tokens, and leaving files to maintain active access.
Boring by design
The packages were programmed in JavaScript, Python and Rust. They were disguised as developer aids, security scanners, wallet tools, Solidity utilities, AI prompt packages, and Sui or Move build aids. The names were intentionally boring: “wallet-security-checker”, “defi-risk-scanner”, “solidity-build-guard”, “move-compiler-tools” and “llm-context-compressor”. It looked like the kind of little utility a crypto or AI developer might install without much thought.
However, once installed, the payloads attempted to extract much more than package data. In npm packages, the malware searched a developer’s machine for private keys, passwords, GitHub tokens, and cloud logins. It also tested some stolen credentials, attempted to move to other systems via SSH keys, and left behind files that could keep the infection active.
SSH keys are login files that developers use to access servers, code repositories, and other machines. If stolen, they can allow an attacker to move from a compromised laptop into a company’s broader infrastructure.
AI tools as attack vectors
The attack also uses files such as .cursorrules and claude.md, which allow developers to give project-specific instructions to AI coding tools. Socket said the campaign implemented hidden instructions using zero-width Unicode characters. These appear to be trying to get future AI assistant sessions to run fake “security scans” that collect and exfiltrate secrets.
This transformed the attack from a normal packet stealer into something closer to malware aimed at the development environment. Installing the package is just the first step. The real target is the desktop: wallets, repositories, browser data, cloud keys, SSH access, and whatever else the AI coding tools will read next.
Rust packages used malicious build.rs scripts to run during compilation, targeting Sui and Move developers. PyPI packages executed JavaScript remotely during import. Packages on npm used post-installation hooks.
Socket said it reported the packages to relevant registries and classified the campaign packages as malicious. The company also warned that the attacker opened pull requests to AI and developer projects, attempting to add .cursorrules and CLAUDE.md files via normal open source contribution paths.
![]()



