TrapDoor Malware Targets Crypto and AI Developers in Supply Chain Attack

A newly discovered malware campaign called “TrapDoor” is targeting crypto and artificial intelligence developers through malicious software packages designed to steal sensitive data and digital assets.

Developer security platform Socket said the attack was identified on May 23 and has already spread through more than 34 malicious packages and 384 related versions. Researchers say attackers are continuously updating the malware to avoid detection and expand its reach.

TrapDoor mainly targets developers working in cryptocurrency, decentralized finance, artificial intelligence, and cybersecurity projects. According to Socket, the malware is designed to steal crypto wallet data, Secure Shell (SSH) keys, cloud credentials, GitHub access tokens, browser extension data, and API keys.

Crypto Wallets and AI Coding Tools at Risk

The malware reportedly targets widely used crypto wallets and platforms, including Coinbase, Binance, Solana, Sui, Aptos, and MetaMask, while also affecting the Brave browser.

Researchers said TrapDoor also injects hidden commands into AI coding assistants such as Claude and Cursor. The malware appears designed to trick developers into running fake “security scans” that secretly expose credentials and sensitive information.

Supply Chain Attack Spreads Through Popular Developer Platforms

TrapDoor has been found on npm for JavaScript developers, PyPI for Python users, and Crates for Rust developers. Attackers reportedly disguised harmful packages as useful development tools, project helpers, Solidity software, and blockchain-related utilities.

Security experts warned that crypto and AI developers are becoming major targets as attackers increasingly exploit trusted software ecosystems to distribute malware.