TrapDoor Supply Chain Attack: 34 Malicious Packages Specifically Stealing Crypto Wallets and Hiding Hidden Commands in CLAUDE.md

TrapDoor supply chain attacks target developers, deploying 34 malicious packages to steal crypto wallets and keys. Hackers embed hidden commands in configuration files to hijack AI assistants like Claude and steal confidential information; developers must be highly vigilant.

TrapDoor supply chain attack exposed: targeting cryptocurrency and AI developers

Cybersecurity firm Socket Security's latest report reveals that a supply chain attack codenamed "TrapDoor" is rapidly spreading.

Socket Security states that, TrapDoor attacks have already deployed over 34 malicious packages and more than 384 related versions across major developer package management systems such as npm, PyPI, and Crates.io, targeting developers in cryptocurrency, decentralized finance (DeFi), AI, and cybersecurity fields.

• Click here to view the list of malicious packages and versions compiled by Socket Security

These malicious packages are designed to broadly collect developers' confidential information. The data hackers aim to steal includes SSH keys, cloud service credentials, GitHub access tokens, browser data, API keys, and wallet data from ecosystems like Solana, Sui, and Aptos.

After collecting sensitive data, hackers can directly steal crypto assets or use the victim developers' computers as a springboard to infiltrate other infrastructure.

TrapDoor’s Stealth Tactics and AI Hijacking Mechanisms

In the TrapDoor attack, hackers carefully craft package names to resemble legitimate development tools. For example, in npm, packages like crypto-credential-scanner or in Crates.io, sui-move-build-helper, trick developers into unknowingly downloading and executing malicious code during normal project builds.

Socket Security indicates that these malicious software utilize specific execution paths within each ecosystem to trigger, such as post-install hooks in npm, import-time execution in Python, and Rust’s build.rs scripts.

The most notable feature of this attack is its hijacking mechanism targeting AI-assisted coding tools. Hackers embed hidden commands containing zero-width Unicode characters in project files like .cursorrules or CLAUDE.md.

Socket Security CTO Ahmad Nassri explains that the hackers aim to deceive AI coding assistants like Claude and Cursor, tricking these AI tools into performing system security scans within the development environment. In reality, these scans silently collect data in the background and leak developers’ confidential settings and environment variables.

Image source: In the SocketAUDIT-MATRIX.md file, an overview of the TrapDoor malware attack’s pre-attack extraction framework

Researchers also discovered that hackers have even submitted pull requests (PRs) to several well-known open-source AI and developer projects on GitHub, attempting to insert files with hidden malicious commands under the guise of adding development standards and build verification, blending malicious code into normal open-source workflows.

If development teams accept these PRs, programmers reading the project with AI tools in the future may unknowingly trigger data leakage mechanisms.

Recent TanStack Package Poisoning Also Targets AI Ecosystems

Recently, supply chain attacks on development environments have become more frequent and sophisticated.

A large-scale supply chain attack targeting the TanStack packages has occurred, with hackers focusing on AI ecosystems, mounting malicious code in editors like VS Code and Claude Code to steal developers’ GitHub access tokens and cloud credentials.

Charles Guillemet, CTO of well-known hardware wallet manufacturer Ledger, commented that hackers’ techniques have become extremely advanced, making defenses more difficult.

• **Related report: Beware Claude Code users! TanStack NPM compromised with malicious injection, with up to 12.7 million downloads weekly

Supply chain attacks are frequent; be cautious when downloading packages or accepting PRs

Hackers are actively combining traditional typosquatting techniques with new attack vectors targeting AI environments. Since platforms like GitHub are exploited to host malicious payloads and configuration files, development teams must conduct stricter security reviews when integrating external dependencies or accepting pull requests.

Software installation is just the first step of the attack; subsequent stealth activities targeting AI configuration files, system scheduling, and network connections pose greater cybersecurity challenges. Developers should carefully verify package names, publisher sources, and the security of underlying infrastructure when downloading open-source packages from major repositories to avoid becoming victims of supply chain attacks.