What is the TrapDoor malware campaign?

TrapDoor is a malware campaign identified by Socket that targets crypto, AI, and cybersecurity developers through malicious software packages. The malware is designed to steal wallet data, credentials, API keys, and other sensitive developer information.

How does TrapDoor infect crypto and AI developers?

The attackers reportedly disguise malicious packages as useful developer tools, AI utilities, Solidity helpers, and blockchain build software. Developers may unknowingly install these infected packages through ecosystems like npm, PyPI, or Rust Crates during normal coding workflows.

Why are crypto developers increasingly targeted by malware campaigns?

Crypto developers often store wallet credentials, API keys, cloud access tokens, and deployment permissions on their systems. Attackers know compromising a developer environment can potentially provide access to funds, smart contracts, or sensitive infrastructure.

What are npm, PyPI, and Crates?

npm is a package manager for JavaScript developers, PyPI is the package ecosystem for Python developers, and Crates is used by Rust developers. These platforms help developers install coding libraries quickly but can also become targets for supply chain attacks.

How does TrapDoor target AI coding assistants?

Socket said the malware injects hidden instructions aimed at AI coding tools such as Claude and Cursor. The attackers allegedly try to manipulate AI assistants into running fake “security scans” that expose sensitive credentials or private data.

Why is AI-assisted malware becoming a bigger cybersecurity risk?

Security researchers increasingly believe attackers are using AI to rapidly create, test, and distribute malware. Socket said the TrapDoor campaign showed signs of fast AI-assisted iteration across GitHub repositories and malicious package deployments.

What data can TrapDoor steal from developers?

The malware reportedly targets crypto wallet data, SSH keys, GitHub tokens, browser extension information, cloud credentials, and API keys. These assets can potentially provide attackers with access to infrastructure, accounts, or digital funds.

Image for illustrative purposes only. Not a real photo.

TrapDoor malware hits crypto and AI developer tools

Q: Which crypto platforms and wallets were targeted by TrapDoor?

Socket said the malware targeted wallets and platforms including Coinbase, Binance, Solana, Sui, Aptos, and MetaMask.

Written by Isaac FrancisPublished May. 25 2026

Security platform Socket said it uncovered a malware campaign called TrapDoor targeting crypto, DeFi, artificial intelligence, and cybersecurity developers through poisoned software packages.

Socket said attackers deployed more than 34 malicious packages and 384 related versions across popular developer ecosystems including npm, PyPI, and Rust’s Crates repository in an effort to steal credentials, wallet data, and cloud access keys.

“The goal appears to be to trick AI assistants into running a ‘security scan’ or similar workflow that causes secret discovery and exfiltration,”

Socket stated.

The malware reportedly targeted crypto wallets and platforms including Coinbase, Binance, Solana, Sui, Aptos, and MetaMask alongside browser and cloud credentials.

Socket chief technology officer Ahmad Nassri said the malware also injected hidden instructions designed to hijack AI coding assistants including Claude and Cursor by manipulating automated security workflows.

The campaign reportedly disguised malicious packages as development helpers, Solidity tooling, AI utilities, and blockchain build tools to increase the likelihood developers would unknowingly install infected software during routine workflows.

The findings came days after GitHub disclosed unauthorised access to internal repositories following the compromise of an employee device, with Socket suggesting the broader campaign showed signs of rapid AI-assisted malware development and deployment.