Socket Security detected the TrapDoor campaign within 5 minutes of publication, but the scope of data exfiltration across SSH keys, wallet keystores, and AI agent configs means teams must audit now.
Alpha Score of 27 reflects poor overall profile with poor momentum, poor value, weak quality, strong sentiment.
Socket Security researchers flagged an active supply-chain attack over the weekend targeting crypto developer environments tied to the Aptos, Sui, and Solana ecosystems. The campaign, dubbed TrapDoor, deploys more than 34 malicious packages across npm, PyPI, and Crates.io registries, with at least 384 individual versions released in rapid succession.
The earliest component, the PyPI package [email protected]**, appeared May 22 at 20:20 UTC and was followed by waves of uploads across all three registries. Socket detected the malicious content at a median speed of 5 minutes and 27 seconds after publication, classifying the threat before it reached widespread adoption.
The malware uses platform-specific hooks that fire during standard developer workflows without requiring user interaction beyond a routine install or build command.
Each registry presents a distinct attack surface because developers rarely audit package dependencies during install. A team using any combination of JavaScript, Python, or Rust tooling is exposed if a single malicious dependency enters the supply chain.
Socket's median detection time of under six minutes prevented the campaign from achieving broad distribution. The attacker continued publishing new versions through the weekend, suggesting an automated pipeline that iterates on payloads. The attacker-controlled GitHub Pages repository contains an internal document labeling the operation a "Universal AI Agent Extraction Framework", indicating a deliberate attempt at AI-assisted iteration.
The exfiltration scope is extensive. The malware harvests:
The malware's logic explicitly targets wallet extensions from Coinbase, Binance, MetaMask, and Brave. Socket Security clarified that the platforms themselves were not directly compromised. The targeting is limited to local keystore files and browser extension data stored on infected developer machines.
A defining characteristic of TrapDoor is its targeting of AI coding assistants. The malware modifies .cursorrules and CLAUDE.md project files – the configuration files developers use to customize tools like Cursor and Claude Code. By repurposing these hooks, the attacker can influence the behavior of AI agents that read and write code in compromised repositories.
SlowMist issued an emergency security warning under code SM-2026-352284, comparing TrapDoor conceptually to the npm worm "Mini Shai-Hulud." All identified packages have been reported to the relevant registries.
Risk to watch: Modified AI config files can introduce backdoors into production code if the agent ingests compromised context. Treat AI agent prompts as untrusted input until proven otherwise.
Crypto projects often rely on open-source packages and rapid iteration. A compromised developer environment can expose private keys, deployment infrastructure, and repository access before any code reaches production.
The exfiltration list includes the same credentials and keys that teams use to deploy smart contracts, manage blockchain nodes, and access cloud services. A developer who runs a malicious package on a machine with access to production wallets or CI/CD pipelines creates a direct path to fund theft or contract manipulation.
The attacker's ambition extends beyond credential harvesting. By targeting AI configuration files, TrapDoor can manipulate the behavior of code-writing agents that integrate with developer workflows. If an AI assistant is trained or prompted through modified project files, it may introduce vulnerabilities or backdoors into production code.
TrapDoor establishes persistence through systemd services, cron jobs, Git hooks, and shell hooks. A one-time removal of the package does not clean the system. Teams must treat any machine that ran a malicious package as potentially fully compromised and rebuild from known-good state.
Bottom line for teams: Compromised dev environments expose wallets and deployment keys before code reaches production. Skipping package validation is direct financial risk.
The immediate risk is that additional malicious packages remain undetected or that variants of TrapDoor reappear under different names. The attacker's publishing cadence over the weekend indicates an active operation. The combination of credential theft and AI agent manipulation creates a scenario where a single compromised dependency can lead to sustained code injection.
For crypto projects, this is not a theoretical exercise. The same supply-chain attack vector has been used against cryptocurrency wallets and exchanges in past campaigns. Read more about the broader crypto market context in our crypto market analysis and related coverage of stablecoin systemic risks in Stablecoin $322B Milestone: 83% Duopoly Risk Exposed.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.