{"id":95548,"date":"2026-05-26T09:03:01","date_gmt":"2026-05-26T09:03:01","guid":{"rendered":"https:\/\/dogewisperer.com\/?p=95548"},"modified":"2026-05-26T09:03:01","modified_gmt":"2026-05-26T09:03:01","slug":"crypto-developers-under-siege-as-trapdoor-malware-hits-supply-chain","status":"publish","type":"post","link":"https:\/\/dogewisperer.com\/?p=95548","title":{"rendered":"Crypto Developers Under Siege As \u2018TrapDoor\u2019 Malware Hits Supply Chain"},"content":{"rendered":"
\n

The attackers behind TrapDoor<\/a> went after more than wallets and passwords \u2014 they embedded hidden instructions inside packages designed to manipulate AI coding assistants.<\/p>\n

According to security firm Socket, the goal was to trick tools like Claude and Cursor into running what appeared to be routine security scans, which would then quietly discover and send out secrets stored on a developer\u2019s machine.<\/p>\n

Socket, a developer security platform, detected<\/a> the campaign on Friday and published its findings on Sunday. Reports say the operation had already pushed out more than 34 malicious packages and 384 related versions by the time it was uncovered, with attackers continuing to release new updates across multiple software ecosystems.<\/p>\n

\n

\"\ud83d\udea8\" BREAKING: Active supply chain attack across npm, PyPI, and Crates.\u200bio.<\/p>\n

Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems.<\/p>\n

TrapDoor targets\u2026 pic.twitter.com\/0CI758NJ6T<\/a><\/p>\n

\u2014 Socket (@SocketSecurity) May 24, 2026<\/a><\/p>\n<\/blockquote>\n

Wallets, Keys, And Cloud Credentials All At Risk<\/h2>\n

The malware<\/a> cast a wide net. Socket said TrapDoor was built to steal data from several major crypto wallets \u2014 Coinbase, Binance, Solana, Sui, Aptos, and MetaMask \u2014 as well as the Brave browser. Beyond wallet data, the malware also went after SSH keys, cloud credentials, GitHub tokens, browser extension data, and API keys.<\/p>\n

\n

\"\ud83d\udea8\" TrapDoor supply chain attack hits npm, PyPI, and Crates-io.https:\/\/t.co\/Q4ZUsUnZWY<\/a><\/p>\n

34 malicious packages across 384 versions were used to steal crypto wallets, SSH keys, cloud credentials, and developer secrets from crypto, DeFi, Solana, and AI environments.<\/p>\n

The malware\u2026 pic.twitter.com\/GJKcgUK9RK<\/a><\/p>\n

\u2014 The Hacker News (@TheHackersNews) May 25, 2026<\/a><\/p>\n<\/blockquote>\n

The campaign spread across three major developer package repositories: npm, which serves JavaScript and Node.js developers; PyPI, used widely in Python, data science, and automation work; and Crates, the package hub for Rust developers.<\/p>\n

Package names were chosen carefully to look like standard tools \u2014 development helpers, project setup utilities, prompt engineering packages, and Solidity or Sui build helpers \u2014 making them easy to overlook during a routine install.<\/p>\n

<\/p>\n

Socket\u2019s chief technology officer Ahmad Nassri said on Sunday that the GitHub activity tied to the campaign showed signs of AI-assisted development, pointing to broad security-themed templates, generic lure repositories, and a mix of partially built extraction ideas alongside working malware components.<\/p>\n

\"\"<\/p>\n

Signs Of A Larger, Coordinated Operation<\/h2>\n

The timing of the campaign raised questions given that GitHub had reported unauthorized access to its internal repositories on May 20, just days before TrapDoor was detected. That breach followed the compromise of an employee\u2019s device, according to reports.<\/p>\n

Socket described TrapDoor as a coordinated attack aimed squarely at crypto, decentralized finance, AI, and security developers \u2014 communities where sensitive credentials and wallet access are common.<\/p>\n

The campaign gave attackers broad reach precisely because the targeted developer communities often work across the same tools and ecosystems.<\/p>\n

Featured image from Unsplash, chart from TradingView<\/em><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

The attackers behind TrapDoor went after more than wallets and passwords \u2014 they embedded hidden instructions inside packages designed to manipulate AI coding assistants. According to security firm Socket, the goal was to trick tools like Claude and Cursor into running what appeared to be routine security scans, which would then quietly discover and send […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":0,"footnotes":""},"categories":[2],"tags":[3,4,5],"class_list":["post-95548","post","type-post","status-publish","format-standard","hentry","category-news","tag-crypto","tag-doge","tag-news"],"_links":{"self":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/95548","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=95548"}],"version-history":[{"count":0,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/95548\/revisions"}],"wp:attachment":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=95548"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=95548"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=95548"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}