- The malware spread through npm, PyPI, and Rust packages in coordinated waves.
- It steals crypto wallets, SSH keys, and cloud developer credentials.
- AI coding tools were also targeted through malicious config files.
A coordinated malware campaign known as TrapDoor has hit software ecosystems widely used by crypto and blockchain developers.
Security researchers identified dozens of malicious packages spread across major open-source repositories, all designed to steal sensitive developer data such as wallet keys, cloud credentials, and source code access tokens.
Instead of a single malicious upload, attackers deployed multiple packages in waves using different accounts.
This approach made the activity harder to detect at the early stages and allowed the malware to blend into routine dependency updates.
Coordinated attack across major developer ecosystems
The TrapDoor operation affected at least three major package ecosystems: npm, PyPI, and Crates.io.
Together, researchers identified more than 30 malicious packages and over 300 affected versions distributed within a short window.
The activity reportedly began around May 22, 2026, although GitHub reported unauthorized access to internal repositories on May 20. It then escalated quickly over the following days.
The packages were not isolated incidents. Instead, they appeared to be part of a coordinated release strategy involving multiple developer accounts.
This structure suggests planning rather than opportunistic abuse. Each package carried similar behavior patterns and pointed to a shared malicious framework used by the attackers.
How the TrapDoor malware operates inside developer systems
Once installed, TrapDoor packages execute automatically through standard build and installation processes used in modern development environments.
In JavaScript packages, malicious code is triggered through post-install scripts, which run immediately after a dependency is added.
In Python packages, the malware can activate during import, allowing it to execute without any explicit function call.
Rust packages use build scripts to achieve the same result during compilation.
After execution, the malware scans local systems for valuable data. This includes SSH keys, API tokens, and configuration files commonly used in cloud and blockchain development workflows.
It also targets browser-stored credentials and environment variables, which often contain sensitive authentication data.
Stolen information is then sent to external servers controlled by the attackers.
In some cases, the malware attempts to maintain persistence by modifying startup processes or inserting malicious hooks into development tools.
Crypto-focused targeting and high-value data theft
What makes this campaign particularly concerning is its focus on crypto-related development environments.
The malware specifically searches for crypto wallet-related files and credentials linked to platforms such as Coinbase, MetaMask, Binance, and Solana-based tools.
It also targets cloud infrastructure credentials from providers like AWS and GitHub access tokens.
These are especially valuable because they can provide attackers with direct access to private repositories, deployment pipelines, and backend systems.
In addition, the malware attempts to collect SSH keys that could allow remote access to developer machines or production servers.
This combination of targets gives attackers a wide range of entry points into both personal and enterprise systems.
AI development tools also under pressure
One of the more unusual elements of the TrapDoor campaign is its interaction with AI-assisted development environments.
Some malicious packages include configuration files designed to influence coding assistants and automated development tools.
Files such as .cursorrules and CLAUDE.md were reportedly used to manipulate AI coding assistants into performing actions that could expose sensitive information.
Instead of directly hacking systems, the attackers attempted to exploit how AI tools interpret project instructions.
This approach reflects a shift in attack methods.
Rather than targeting only code execution, the campaign also attempts to influence developer workflows that rely on AI-generated suggestions and automated analysis.
