TrapDoor attaque de chaîne d'approvisionnement : 34 modules malveillants volent uniquement des portefeuilles cryptographiques, instructions cachées dans CLAUDE.md

TrapDoor supply chain attack targets developers, deploying 34 malicious packages to steal crypto wallets and keys. Hackers also embed hidden commands in configuration files to hijack AI assistants like Claude and steal confidential information; developers must be highly vigilant.

TrapDoor supply chain attack exposed: targeting cryptocurrency and AI developers

Cybersecurity firm Socket Security's latest report reveals that a supply chain attack codenamed "TrapDoor" is rapidly spreading.

Socket Security states that, TrapDoor attacks have already deployed over 34 malicious packages and more than 384 related versions across major developer package management systems such as npm, PyPI, and Crates.io, targeting developers in cryptocurrency, decentralized finance (DeFi), AI, and cybersecurity fields.

• Click here to see the list of malicious packages and versions compiled by Socket Security

These malicious packages are designed to broadly collect developers' confidential information. The data hackers aim to steal includes SSH keys, cloud service credentials, GitHub access tokens, browser data, API keys, and crypto wallet data from ecosystems like Solana, Sui, and Aptos.

After collecting sensitive data, hackers can directly steal assets or use the compromised developer's machine as a springboard to infiltrate other infrastructure.

TrapDoor's Stealth Tactics and AI Hijacking Mechanisms

In the TrapDoor attack, hackers carefully craft package names to resemble legitimate development tools. For example, in npm, packages like crypto-credential-scanner or in Crates.io, sui-move-build-helper, trick developers into unknowingly downloading and executing malicious code during normal project builds.

Socket Security indicates that these malicious software exploit specific execution paths within ecosystems, such as post-install hooks in npm, import-time execution in Python, and build scripts in Rust (build.rs).

A particularly notable feature of this attack is its hijacking mechanism targeting AI-assisted coding tools. Hackers embed hidden commands containing zero-width Unicode characters in project files like .cursorrules or CLAUDE.md.

Ahmad Nassri, CTO of Socket Security, explains that the hackers aim to deceive AI coding assistants like Claude and Cursor, tricking these AI tools into executing system security scans within development environments. In reality, these scans silently collect data in the background and leak developers' confidential settings and environment variables.

Image source: The TrapDoor malicious software attack framework is summarized in the SocketAUDIT-MATRIX.md file.

Researchers also discovered that hackers have even submitted pull requests (PRs) on GitHub to well-known open-source AI and developer projects, attempting to insert files with hidden malicious commands under the guise of adding development standards and build verification steps, thereby blending malicious code into normal open-source workflows.

If development teams accept these PRs, programmers reading the project with AI tools in the future may unknowingly trigger data exfiltration mechanisms.

Recent TanStack Package Poisoning Also Targets AI Ecosystems

Recently, supply chain attacks targeting development environments have become more frequent and sophisticated.

A large-scale supply chain attack was recently carried out against TanStack packages, where hackers also targeted AI ecosystems by mounting malicious code in editors like VS Code and Claude Code, stealing developers' GitHub tokens and cloud credentials.

Charles Guillemet, CTO of Ledger, a well-known hardware wallet manufacturer, commented that hackers' techniques have become extremely advanced, making defenses more difficult.

• **Related report: Beware Claude Code users! TanStack NPM compromised with malicious injection, with up to 12.7 million downloads weekly

Supply chain attacks are frequent; be cautious when downloading packages or accepting PRs

Hackers are actively combining traditional package name misspelling techniques with new attack vectors in AI environments. Since platforms like GitHub are exploited to host malicious payloads and distribute configuration files, development teams must conduct stricter security reviews when introducing external dependencies or accepting pull requests.

Software installation is just the first step of the attack; subsequent stealth activities targeting AI configuration files, system scheduling, and network connections pose greater security challenges. Developers should carefully verify package names, publisher sources, and the security of underlying infrastructure when downloading open-source packages from major repositories to avoid becoming victims of supply chain attacks.