Crypto2Community
HomeCrypto NewsReviewsGuidesGamblingTradingPress Release

Crypto 2 Community

  • About Us
  • Editorial Policy
  • Why Trust Us
  • Contact Us
  • Privacy Policy
  • Submit a Press Release

Cryptocurrency

  • Best Cryptos to Buy Now
  • Best Crypto Exchanges
  • How To Buy Cryptocurrency
  • Best Crypto Wallets
  • Best Altcoins to Buy

Gambling

  • Best Bitcoin Casinos
  • Best Ethereum Casinos
  • Best Crypto Live Casinos
  • Best Crypto Faucet Casinos
  • Provably Fair Bitcoin Casinos

Best Platforms

  • eToro Review
  • BC.Game Review
  • Jackbit Review
  • Metaspins Review
  • CryptoLeo Review

© 2026 Crypto2Community.com

CAUTION: The content presented on this platform is not intended as financial guidance, and we lack the authorization to offer investment advice. Any material found on this website should not be construed as an endorsement or recommendation of any specific trading strategy or investment decision. The information provided herein is of a general nature, and therefore it is essential to evaluate it in the context of your objectives, financial circumstances, and requirements.

Investment activities involve speculation and entail inherent risks to your capital. This website is not intended for utilization in jurisdictions where the described trading or investment activities are prohibited, and it should only be accessed by individuals who are legally permitted to do so. Depending on your country or state of residence, your investment may not be eligible for investor protection, hence it is advisable to conduct thorough research independently or seek appropriate guidance. While this website is accessible to you free of charge, please note that we may receive commissions from the companies featured on this site.

Disclosure: 18+ Rules regarding online gambling vary from country to country, please ensure you are following them and gamble responsibly. The content on this website is provided for entertainment purposes only. We may utilise affiliate links within our content, and receive commission.

Home/Crypto News
Crypto News

Socket Warns TrapDoor Malware Is Targeting Crypto Developers

Syed Ali Haider
Written bySyed Ali Haider
Crypto Writer
Fact checked byJoshua Downes
UpdatedMay 25, 2026
Our disclosure policy →
!

Cryptocurrency trading is speculative and your capital is at risk when you trade. We may earn affiliate commissions from some of the products on this page - at no extra cost to you.

ShareTweetShareLinkedIn
Socket Warns TrapDoor Malware Is Targeting Crypto Developers

Highlights:

  • Socket found TrapDoor malware targeting crypto developers through fake packages on major software registries.
  • The malware tried to steal wallet files, keys, tokens, cloud credentials, and developer secrets.
  • Attackers also tested hidden prompts to abuse AI coding tools inside developer projects.

Socket has found a new crypto-focused malware campaign targeting developers via fake open-source packages on npm, PyPI, and Crates.io. In a report published on Sunday, the Socket Research Team said the campaign, called TrapDoor, included more than 34 malicious packages and over 384 related versions and artifacts across the three software registries.

The attack mainly targeted developers working in crypto, decentralized finance, Solana, Sui, Move, artificial intelligence, and security projects. The packages looked like normal developer tools. Some appeared to offer wallet checks, Solidity deployment help, project setup, or security scanning. However, Socket said these packages were actually built to steal sensitive data from developer systems.

A supply chain attack like this can be dangerous because developers often trust package registries during normal work. If they install a malicious package, the malware can quietly search their computer for private files, passwords, keys, and wallet data.

🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.​io.

Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems.

TrapDoor targets… pic.twitter.com/0CI758NJ6T

— Socket (@SocketSecurity) May 24, 2026

TrapDoor Tried to Steal Wallets and Developer Secrets

Socket said TrapDoor searched for several types of sensitive data. These included SSH keys, GitHub tokens, Amazon Web Services credentials, browser data, wallet extension files, environment variables, API keys, and crypto wallet data.

The malware also targeted wallets linked to Sui, Solana, and Aptos. Stolen wallet files can put crypto funds at risk. Stolen GitHub tokens can expose private code. Cloud credentials can also give attackers access to online systems. This is why the campaign was not only a wallet threat, but also a wider developer security risk.

Socket said the first package it found was eth-security-auditor@0.1.0 on PyPI. It was uploaded on May 22 at 20:20:18 UTC. After that, the attacker pushed more packages across npm, PyPI, and Crates.io.

Malware Worked Differently on Each Platform

Socket said the npm packages used postinstall scripts. These scripts can run automatically after someone installs a package. In this campaign, the npm packages used that method to run a shared malware file called trap-core.js.

Socket described trap-core.js as a large credential-stealing tool. It scanned developer machines for secrets, tested stolen GitHub and Amazon Web Services credentials, and tried to keep access through several methods. These included Git hooks, shell hooks, cron jobs, systemd services, SSH movement, and project files such as .cursorrules and CLAUDE.md.

The PyPI packages used another method. Socket said they ran remote JavaScript when imported. This allowed the attacker to change the harmful code from an outside server without uploading a new package version.

The Crates.io packages targeted Rust developers working with Sui and Move. These packages used malicious build.rs scripts. These scripts can run during the build process. Socket said they searched for local keystores, encrypted the stolen data, and sent it to GitHub Gists.

Attackers Also Tried to Abuse AI Coding Tools

TrapDoor also showed a new risk for AI-assisted coding. Socket said the attacker used files such as .cursorrules and CLAUDE.md to add hidden instructions for AI coding assistants. Developers often use these files to guide AI tools inside a project.

Socket said the attacker tried to make AI tools run fake security checks that could help find and steal secrets. The method may not work in every tool, but it shows that attackers are now testing ways to abuse AI development workflows.

Socket also linked the campaign to the GitHub account ddjidd564. The account opened pull requests to several AI and developer projects, including LangChain, Langflow, LlamaIndex, MetaGPT, and OpenHands. These pull requests tried to add AI-related project files under normal-looking names.

Socket said it marked all identified TrapDoor packages as malicious and reported them to the affected registries. The company also said it continues to track related packages, versions, and infrastructure connected to the campaign.

eToro Platform

Best Crypto Exchange

  • Over 90 top cryptos to trade
  • Regulated by top-tier entities
  • User-friendly trading app
  • 30+ million users
9.9

5 Stars

Visit eToro

eToro is a multi-asset investment platform. The value of your investments may go up or down. Your capital is at risk. Don’t invest unless you’re prepared to lose all the money you invest. This is a high-risk investment, and you should not expect to be protected if something goes wrong.

Tags

AICryptoDevelopersHackMalwareSocketTrapDoorWallets
Syed Ali Haider
Crypto2CommunityContributor
Author

Syed Ali Haider

Ali Haider is a contributing crypto writer at Crypto2Community. He is a crypto and blockchain journalist with over six years of experience and has long advocated for digital freedom and cybersecurity. Haider has been featured in several high-profile crypto and finance outlets, including Coincult, AltcoinBeacon, BTCRead, and more.

View full profile →
i
How we work

About Crypto2Community's Editorial Process

Crypto2Community's editorial policy is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict editorial policy and sourcing standards, and each page undergoes diligent review by our team of top crypto industry experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.

More by this author

  • Ethereum Price Forecast – Bears Eye $1,564 Support as Bitcoin Weakness Weighs on ETH
  • Strategy Lifts USD Reserve to $3 Billion After $467M Stock Sale
  • BitMine Adds 27,801 Ethereum, Pushing Holdings to 4.8% of ETH Supply
Continue reading

Related Articles

Ethereum Price Forecast – Bears Eye $1,564 Support as Bitcoin Weakness Weighs on ETHCrypto News
Ethereum Price Forecast – Bears Eye $1,564 Support as Bitcoin Weakness Weighs on ETH
Crypto News25 minutes ago
Syed Ali Haider
By Syed Ali Haider7/13/2026
Strategy Lifts USD Reserve to $3 Billion After $467M Stock SaleCrypto News
Strategy Lifts USD Reserve to $3 Billion After $467M Stock Sale
Crypto News49 minutes ago
Raymond Munene
By Raymond Munene7/13/2026
BitMine Adds 27,801 Ethereum, Pushing Holdings to 4.8% of ETH SupplyCrypto News
BitMine Adds 27,801 Ethereum, Pushing Holdings to 4.8% of ETH Supply
Crypto News1 hours ago
Syed Ali Haider
By Syed Ali Haider7/13/2026

Popular Topics

  • Sei Price Prediction 2025, 2030, 2040
  • Uniswap Price Prediction 2025, 2030, 2040
  • Near Protocol Price Prediction 2025, 2030, 2040
  • Loopring Price Prediction 2025, 2030, 2040
  • Chainlink Price Prediction 2025, 2030, 2040

Trending News

  • Strategy Lifts USD Reserve to $3 Billion After $467M Stock Sale
  • Ethereum Price Forecast – Bears Eye $1,564 Support as Bitcoin Weakness Weighs on ETH
  • BitMine Adds 27,801 Ethereum, Pushing Holdings to 4.8% of ETH Supply
  • Chinese Prosecutors Propose Stricter Scrutiny of Privacy Coins and Crypto Mixers
  • Bitcoin Price Prediction – BTC Targets $58K Support as Liquidations Accelerate
  • Lawson to Test Yen Stablecoin Payments at Convenience Stores in Japan
  • Ripple Backs UK Plan to Move Tokenized Wholesale Markets Into Live Trading
  • Crypto Weekly Market Wrap July 13 – ETF Flows, Regulation, Security Breaches, and Institutional Moves
  • Best Cryptocurrencies to Invest in Today, July 13 – Ethereum, Solana, XRP
  • SBI Group to Launch JPYSC Stablecoin Lending Service With 3% Annual Yield This Month
  • Tom Lee Predicts Bitcoin Above $100K and Ethereum Above $5K by Year-End
  • Fidelity Says Bitcoin May Be Entering a Key Accumulation Zone
  • Singapore Police and Crypto Exchanges Prevent $4.2 Million in Potential Scam Losses
  • Michael Saylor and Adam Back Warn Against Bitcoin’s BIP 110 Proposal
  • Suspected Hedera Network Exploit Sends Over $5.8M to Ethereum
  • IMF Paper Warns Stablecoins Could Fuel Currency Runs During Market Stress
  • Bitcoin ETFs End Eight-Week Slide with $197 Million Inflow 
  • Best Memecoins to Invest in Today, July 11 – PEPE, FLOKI, SHIB
  • USDT on TRON Climbs to Record $90.3B Despite Broader Stablecoin Decline
  • XRP Ledger Activity Falls to 2026 Lows as Interest in XRP Drops