TrapDoor Malware Targets Crypto Developers in Supply Chain Attack
MAXBIT
Last updated: May 26, 2026
A new malware campaign, "TrapDoor," is targeting developers working on blockchain platforms like Aptos, Sui, and Solana. It uses fake open-source packages across npm, PyPI, and Crates.io to steal sensitive developer credentials. The campaign also shows evidence of using AI-assisted techniques for creating lures and potentially manipulating AI coding assistants.
- The TrapDoor campaign has distributed over 34 malicious packages with more than 384 infected versions, disguised as common development tools for blockchain, DeFi, and AI.
- The primary objective of the malware is to steal valuable credentials, including SSH keys, crypto wallet seed phrases, GitHub tokens, AWS access, browser secrets, and API keys.
- Attackers specifically target developers due to their machines' direct access to high-value assets like production systems, smart contracts, and treasury wallets.
- Evidence suggests attackers used AI to generate fake lure repositories and documentation, and attempted prompt injection attacks against AI coding assistants such as Claude and Cursor.
- The campaign represents a growing trend of supply chain attacks combined with AI-assisted tactics, enabling attackers to operate faster and create more convincing malicious tools.
- Security firms recommend developers rigorously review dependencies, avoid unverified packages, monitor system activity, and rotate credentials if exposure is suspected.
![This Agency Actually Delivers [See Results]](https://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_250%2Cw_380%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2FGETTY_IMAGES%2FDV%2F1323701120__BInqcAhU.jpg)
