A new cryptocurrency theft campaign is targeting developers most likely to have wallet keys, cloud credentials, and production access on their machines.
Researchers at security firm Socket said earlier this week they identified a supply chain attack called TrapDoor, spread across three major open source programming registries, with more than 34 malicious packages and hundreds of associated versions and artifacts.
What you have to remember is that attackers are becoming more and more concentrated. In addition to social engineering, which targets individuals with key information, supply chain attacks are designed not to catch random retail users, but to catch developers. These are the same people who can have wallet files, SSH keys, GitHub tokens, cloud credentials, and production access on the same machine they use to build crypto and AI tools.
Socket did not identify the victims or the stolen funds, but said the packages were available on npm, PyPI and Crates.io and contained payloads that could steal wallet data, exfiltrate credentials, test AWS and GitHub tokens and leave files to maintain active access.
Packages programmed in JavaScript, Python, and Rust were disguised as developer aids, security scanners, wallet tools, Solidity utilities, AI prompt packages, and Sui or Move build aids.
Boring by design
The names were boring by design. The packages were named “wallet-security-checker”, “defi-risk-scanner”, “solidity-build-guard”, “move-compiler-tools” and “llm-context-compressor”, looking like the kind of small utilities a crypto or AI developer might install without much thought.
However, once installed, the payloads attempted to extract much more than package data.
In npm packages, the malware searched a developer’s machine for private keys, passwords, GitHub tokens, and cloud logins. It also tested some stolen credentials, attempted to move to other systems via SSH keys, and left behind files that could keep the infection active.
SSH keys are connection files that developers use to access servers, code repositories, and other machines. If stolen, they can allow an attacker to move from a compromised laptop into a company’s broader infrastructure.
The attack also uses files such as .cursorrules and claude.md, which allow developers to give project-specific instructions to AI coding tools. Socket said the campaign implanted hidden instructions using zero-width Unicode characters, apparently trying to get future AI assistant sessions to run fake “security scans” that collected and exfiltrated secrets.
This transformed the attack from a normal packet stealer into something closer to malware aimed at the development environment. Installing the package is just the first step, with the real target being the workstation, such as wallets, repositories, browser data, cloud keys, SSH access, and whatever else the AI coding tools will read next.
Rust packages used malicious build.rs scripts to run during compilation, targeting sui and move developers. PyPI packages executed JavaScript remotely during import. Packages on npm used post-installation hooks.
Socket said it reported the packages to relevant registries and classified the campaign packages as malicious. The company also warned that the attacker opened pull requests to AI and developer projects, attempting to add .cursorrules and CLAUDE.md files via normal open source contribution paths.
