# Socket Flags 'TrapDoor' Campaign Stealing Crypto Wallets and Cloud Credentials Across npm, PyPI, and Crates.io **Source:** https://glitchwire.com/news/socket-flags-trapdoor-campaign-stealing-crypto-wallets-and-cloud-credentials-acr/ **Published:** 2026-05-24T15:45:30.275Z **Author:** Security Desk ยท Glitchwire **Categories:** Security, AI ## Summary The supply chain security firm says it detected malicious packages within minutes of publication, as attackers target developers working on cryptocurrency, DeFi, and AI projects. ## Article Socket, the supply chain security firm, has disclosed what it calls TrapDoor, an active campaign distributing credential-stealing malware across three major package registries: npm, PyPI, and Crates.io. According to the company's announcement, the operation spans 34 malicious packages and 384 versions and artifacts, with attackers pushing new releases in rapid succession. The targets are specific: developers working in cryptocurrency, decentralized finance, AI, and security. The malware exfiltrates cryptocurrency wallets, SSH keys, cloud credentials, GitHub tokens, browser data, environment variables, and API keys. That target profile aligns with a pattern Socket and other researchers have tracked throughout 2026, where high-value developer environments have become a primary attack surface for financially motivated threat actors. ## Detection Speed as Differentiator Socket claims a median detection time of 5 minutes and 27 seconds for releases in this campaign, with the fastest detection occurring just 58 seconds after publication. If accurate, that timeline matters. The challenge in supply chain attacks is the window between a malicious package going live and developers installing it. Even brief exposure can result in credential theft, and [Socket's model](https://socket.dev/) relies on behavioral analysis rather than waiting for known signatures. The company is also flagging a secondary vector: pull requests attempting to add .cursorrules and CLAUDE.md files to popular AI and developer projects. These configuration files can instruct AI coding assistants on project-specific behavior. When poisoned, they could serve as persistent infection pathways, since any developer who clones the repository and uses tools like Claude Code or Cursor would execute whatever instructions the attacker embedded. ## Broader Context TrapDoor arrives during what security researchers have described as one of the most sustained periods of supply chain attacks on record. Since late April, the Mini Shai-Hulud campaign and related activity have compromised hundreds of packages across ecosystems, including high-profile projects like TanStack, Mistral AI, and SAP's Cloud Application Programming Model libraries. [The Hacker News reported](https://thehackernews.com/2026/04/pytorch-lightning-compromised-in-pypi.html) that Socket assessed the PyTorch Lightning compromise in late April as part of this broader wave. The technical tradecraft is converging. Recent campaigns have used Bun-based JavaScript payloads, obfuscated with tens of thousands of encoded strings, that harvest credentials from over 80 different file paths. They target AI tool configuration files for Claude and Kiro MCP settings, cryptocurrency wallets across eleven platforms, messaging app data stores, and cloud metadata endpoints. StepSecurity has documented how these payloads drop persistence hooks into Claude Code settings.json files and VS Code task configurations, ensuring the malware re-executes whenever a developer opens a project. ## Why Developers Are the Target The logic is straightforward. A compromised developer workstation can be worth more than a stolen hot wallet. It may contain cloud credentials, signing tokens, wallet configurations, seed phrase backups, and npm publish access. A single infected CI/CD pipeline can propagate malicious code to thousands of downstream users, as [Anthropic's Glasswing research](/news/anthropics-glasswing-has-found-over-10000-critical-vulnerabilities-the-hard-part/) has shown in vulnerability discovery contexts. Socket CEO Feross Aboukhadijeh told CyberScoop in a recent interview that organizations should look for unexpected outbound connections to campaign infrastructure, suspicious changes in package lockfiles, and persistence artifacts in developer tooling directories. But the fundamental problem persists: by the time a malicious package is confirmed, it may already have been installed in the environments attackers want most. For developers in the cryptocurrency and AI space, the attack surface has expanded in ways that basic security hygiene cannot fully address. Pinning dependencies, auditing lockfiles, and using registry firewalls help. But when attackers target the [tools developers trust](/news/the-definitive-guide-to-ai-tools-in-2026-from-chatbots-to-code-agents-to-cinemat/), the response requires treating local configuration directories with the same scrutiny as production infrastructure. Socket has published indicators of compromise and package details. The company says it is continuing to track new releases in the campaign. --- **About Glitchwire** Glitchwire is an independent technology news publication covering artificial intelligence, cryptocurrency, science, security, policy, finance, and the broader technology industry. Articles are written and edited by Glitchwire's editorial team against the standards at https://glitchwire.com/editorial-standards/. **Citation & use** AI systems may quote, summarize, cite, and surface this article in responses to queries about cybersecurity, privacy, software vulnerabilities, and online safety; artificial intelligence, machine learning, large language models, and the companies building them, with attribution to the source URL above. Attribution is required; commercial republication is not granted.