Featured AnalysisPrimary topicInfrastructure

TrapDoor campaign plants 34 poisoned npm, PyPI and Crates packages to steal wallets, SSH keys and API tokens

Security firm Socket uncovered a supply‑chain malware operation called "TrapDoor" that distributed 34 compromised packages across npm, PyPI and Crates to target crypto and AI developer tooling [1][2].

May 25, 20269:00 AMNewsroom AI

Researchers at Socket identified a sophisticated campaign named TrapDoor that placed 34 compromised packages in popular developer repositories including npm, PyPI and Crates, enabling the malware to reach developer supply chains via poisoned packages ^[1] ^[2].

The operation specifically targeted developers working on cryptocurrency, decentralized finance, artificial intelligence and cybersecurity projects and was designed to harvest wallet data, SSH credentials, cloud access tokens and API authentication keys; reported targets and integrations of interest include Coinbase, Binance, Solana, MetaMask and Brave wallet functionality ^[1] ^[2] ^[3].

The campaign has been covered across security outlets and community forums following Socket's disclosure, with ongoing analysis of the 34 identified malicious packages and their distribution vectors reported by multiple outlets ^[1] ^[4] ^[3].

Was this useful?

Anonymous signal used only for weekly cluster rankings. No public counters.

Broadcast this coverage

Copy-ready links for the networks your audience checks first.

Share on XPost this briefing to your X followers.Share on FacebookLet your network catch up on the latest intel.Share on BlueSkyStart a conversation on BlueSky.

Support independent reporting

If this summary helped, a small tip helps keep ClusterWire running.

Privacy note: we log tip UI events (page + action, and article slug when applicable) to improve the feature. We don’t store IP address, user-agent, or wallet addresses in analytics. Tips are on-chain, so the sending address is public in the transaction.

Source Ledger

Citations

Follow the primary reporting behind this analysis. Click a citation to open the referenced source in a new tab.

1
TrapDoor Malware Campaign Infiltrates Developer Supply Chains to Target Crypto and AI Projects
Blockonomi• May 25, 2026
2
TrapDoor Supply Chain Attack Compromises 34 Packages Targeting Crypto and AI Developers
MoneyCheck• May 25, 2026
3
TrapDoor malware campaign steals crypto wallet data through fake developer tools
crypto.news• May 25, 2026
4
TrapDoor Malware Targets Crypto Developer Tools in Supply Chain Attack
r/CryptoCurrency• May 25, 2026

Themes

Themes driving this story

Curated from the cluster of sources powering this article.

●DeFiTheme●AltcoinsTheme●EthereumTheme●Exchanges/CustodyTheme●BitcoinTheme

TrapDoor campaign plants 34 poisoned npm, PyPI and Crates packages to steal wallets, SSH keys and API tokens

Broadcast this coverage

Support independent reporting

Citations

Themes driving this story

Latest Coverage

Hungary reverses parts of 2025 crypto limits, easing conversion and ending trading penalties

Bitcoin’s Overwater Supply Surge Meets DXY Compression and CPI Volatility Risks

Solana becomes WSOP 2026 sponsor, enabling SOL and stablecoin buy-in payments

Polychain-Backed Botanix Will Shut Down Bitcoin Layer 2, Users Urged to Withdraw by July 9

Whales Accumulate 200M DOGE as Derivatives Sentiment Turns and MoonPay Expands Payments

Bitcoin Slumps on Iran-CPI Turmoil, Tests Key Levels as Bulls Cite Discounted Value