TrapDoor malware targets crypto dev tools in supply chain attack

Developer platform Socket has identified a new malware campaign dubbed TrapDoor that is targeting cryptocurrency and artificial intelligence developers through malicious packages on major package registries. The attack aims to steal sensitive data including crypto wallet information and browser credentials, posing a significant threat to the software supply chain.

The TrapDoor malware is being distributed across npm, PyPI, and Crates — three of the largest open-source package ecosystems. According to Socket, the malicious packages contain hidden instructions that can hijack popular AI coding assistants, further expanding the attack surface. For crypto developers, this means that compromised packages could lead to the theft of private keys, wallet seed phrases, and other critical data used in blockchain development. The supply chain nature of the attack makes it particularly dangerous, as a single infected package can propagate to numerous projects downstream. NowPrice users can monitor live crypto prices and charts to see if any market reaction emerges from security concerns, though the primary impact here is on developer security rather than immediate price action.

Developers are advised to carefully audit dependencies and verify package integrity before integration. Socket recommends using its real-time monitoring tools to detect suspicious package behavior. The broader crypto community should watch for any reports of compromised wallets or stolen funds linked to this campaign, as well as updates from package registries on removal of malicious packages. This incident underscores the growing sophistication of attacks targeting the crypto development ecosystem, and vigilance in supply chain security remains critical.