A new crypto theft campaign is targeting the developers most likely to have wallet keys, cloud credentials and production access on their machines.
Researchers at security firm Socket said earlier this week that they identified a supply chain attack called TrapDoor spread across three major open source programming repositories with more than 34 malicious packages and hundreds of related versions and artifacts.
An important takeaway is that the attackers are becoming more focused. In addition to social engineering, which targets individuals with key information, supply chain attacks are built to catch not random retail users, but developers. These are the very people who can have wallet files, SSH keys, GitHub tokens, cloud credentials, and production access on the same machine they use to build crypto and AI tools.
Socket did not identify victims or stolen funds, but said the packages were live across npm, PyPI, and Crates.io and contained payloads that could steal wallet data, exfiltrate credentials, test AWS and GitHub tokens, and leave files to keep access active.
The packages programmed in JavaScript, Python, and Rust were disguised as developer helpers, security scanners, wallet tools, Solidity tools, AI prompt packages, and Sui or Move build helpers.
Boring by design
The names were boring by design. Packages were named “wallet-security-checker”, “defi-risk-scanner”, “solidity-build-guard”, “move-compiler-tools” and “llm-context-compressor”, which looked like the kind of little utilities a crypto or AI developer might install without much thought.
However, once installed, the payloads attempted to extract much more than packet data.
In the npm packages, the malware searched a developer’s machine for private keys, passwords, GitHub tokens, and cloud logins. It also tested some stolen credentials, tried to move into other systems through SSH keys, and left files that could keep the infection active.
SSH keys are login files that developers use to access servers, code repositories, and other machines. If stolen, they can allow an attacker to move from a compromised laptop to a company’s wider infrastructure.
The attack also uses files like .cursorrules and claude.md, which allow developers to provide project-specific instructions to AI coding tools. Socket said the campaign planted hidden instructions using zero-width Unicode characters, apparently trying to trick future AI assistant sessions into running fake “security scans” that collected and exfiltrated secrets.
It transformed the attack from a normal packet thief to something closer to developer environment malware. The package installation is only the first step, where the real target is the workstation, such as wallets, repositories, browser data, cloud keys, SSH access, and which AI coding tools to read next.
The Rust packages used malicious build.rs scripts to run during compilation, targeting sui and move developers. PyPI packages executed external JavaScript on import. Packages on npm used postinstall hooks.
Socket said it reported the packets to affected registries and classified the campaign packets as malicious. The company also warned that the attacker opened pull requests to AI and developer projects and attempted to add .cursorrules and CLAUDE.md files through normal open source contribution paths.
