Colorful source code on a computer screen, used for a TrapDoor crypto-wallet malware story.

Crypto Stealer Buried 34 Poisoned Packages Across npm, PyPI and Crates.io

By Isaac May 30, 2026 5:55 pm Comments

Security researchers caught an active supply-chain attack aimed straight at crypto developers and their wallet data.

The campaign, named TrapDoor, spread malicious packages across npm, PyPI and Crates.io, the three package registries that build modern crypto and DeFi software.

CoinDesk reported on May 29, 2026 that Solana, Sui and Aptos wallet data were among the targets.

Trending: A Court Order, a Single Blacklist, and 12.6 Million USDC Frozen at Once

This one hit the toolchain, not the chain. That is the dangerous part.

The firm Socket identified TrapDoor and tracked its reach. Their findings give the clearest picture of how wide this went.

In its original research note, Socket laid out the scope and targets of the campaign:

Source: Socket

Socket researchers have identified an active crypto stealer supply chain attack spanning npm, PyPI, and Crates.io.

The earliest package Socket observed was the PyPI package [email protected], uploaded on May 22, 2026 at 20:20:18 UTC, with the wheel published at 20:22:04 UTC.

The packages were then published in waves by a handful of accounts and actively updated throughout the weekend. They stood out because they posed as generic developer tools and appeared in quick succession across multiple registries.

Socket detected malicious packages across all three ecosystems. The connection became clear during the Crates.io wave, when Rust packages targeting Sui and Move developers showed infrastructure and behavioral overlap with related npm and PyPI packages.

TrapDoor targets developers in crypto, DeFi, Solana, and AI communities. The malicious packages are designed to steal developer secrets, crypto wallets, SSH keys, cloud credentials, browser data, and environment variables.

The packages posed as developer utilities, wallet and security tools, Solidity tools, AI-related packages, and Sui or Move build helpers.

In other words, the bait was built to look like the exact tools a working crypto engineer reaches for every day.

The payloads went after more than wallets. CoinDesk reported the malware could steal wallet data, SSH keys, AWS credentials, GitHub tokens, browser data and sensitive configuration files.

CoinDesk explained why this kind of package attack can reach beyond one infected laptop:

Source: CoinDesk

A newly discovered supply-chain campaign called TrapDoor has planted more than 34 malicious packages across npm, PyPI and Crates.io to target crypto and cloud developers.

The packages, disguised as mundane developer utilities and security tools, were designed to steal SSH keys, wallet files, AWS credentials, GitHub tokens, browser data and other sensitive configuration files.

A new crypto-theft campaign is targeting the developers most likely to have wallet keys, cloud credentials and production access sitting on their machines.

Researchers at security firm Socket said earlier this week they identified a supply-chain attack called TrapDoor spread across three major open-source programming registries, with more than 34 malicious packages and hundreds of related versions and artifacts.

A key takeaway is that attackers are becoming more focused.

In addition to social engineering, which targets individuals holding key information, supply-chain attacks are built not to catch random retail users but developers. Those are the very people who may have wallet files, SSH keys, GitHub tokens, cloud credentials and production access on the same machine they use to build crypto and AI tools.

Socket did not identify victims or stolen funds, but said the packages were live across npm, PyPI and Crates.io and contained payloads that could steal wallet data, exfiltrate credentials, test AWS and GitHub tokens and leave behind files to keep access active.

A compromised developer machine is a master key. SSH keys and GitHub tokens let an attacker move into repositories and infrastructure, which is how a single poisoned install turns into a far bigger breach.

Solana sits in the middle of this as one of the largest assets in the market.

The current market table from CoinGecko put Solana inside the Top 10:

Source: CoinGecko

Bitcoin (BTC): market-cap rank 1; market cap $1,477,839,014,916. Ethereum (ETH): market-cap rank 2; market cap $244,209,691,286.

Tether (USDT): market-cap rank 3; market cap $188,212,251,316. BNB (BNB): market-cap rank 4; market cap $95,842,990,700.

XRP (XRP): market-cap rank 5; market cap $83,326,964,189. USDC (USDC): market-cap rank 6; market cap $75,863,402,245.

Solana (SOL): market-cap rank 7; market cap $47,704,510,791. TRON (TRX): market-cap rank 8; market cap $32,878,764,362.

Figure Heloc (FIGR_HELOC): market-cap rank 9; market cap $18,614,390,368. Dogecoin (DOGE): market-cap rank 10; market cap $15,521,436,183.

Hyperliquid (HYPE): market-cap rank 11; market cap $15,006,654,933. USDS (USDS): market-cap rank 12; market cap $11,036,876,983.

LEO Token (LEO): market-cap rank 13; market cap $9,277,674,087.

An attacker chasing wallet data on a top-10 chain is going where the value is.

Socket did not name victims or stolen funds in the reporting reviewed here, so the financial damage is still unknown.

The lesson for builders is plain. Pin your dependencies, audit new packages before you install them, and treat any tool promising wallet or security utility help as guilty until proven safe.

Self-custody protects you from exchange failures. It does not protect you from the code you pull onto your own machine.

Join the conversation!

We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.

 

Search ProCoinNews