TrapDoor Malware Campaign Targets Crypto Wallets Across npm, PyPI, Rust

How the Attack Spread

The TrapDoor malware propagated in coordinated waves across three major package ecosystems used by developers: npm (JavaScript), PyPI (Python), and Rust's crates.io. Security researchers discovered dozens of compromised packages distributed through these repositories, each designed to execute malicious code during installation or runtime.

What the Malware Steals

TrapDoor extracts multiple classes of sensitive data from infected machines: cryptocurrency wallet credentials, SSH private keys for server access, and cloud provider credentials including AWS keys and GitHub tokens. The campaign also targeted artificial intelligence coding tools by injecting malicious configuration files, potentially compromising development workflows at scale.

Implications for Developers

The attack underscores ongoing supply chain risk in open-source ecosystems. Developers in crypto and blockchain spaces, who often rely heavily on these package managers for dependencies, face elevated exposure. No patch timeline or mitigation guidance has been announced; immediate steps include auditing installed packages and rotating exposed credentials.

Why It Matters

For Traders

If your infrastructure relies on affected packages, stolen API keys could expose exchange accounts or withdrawal addresses; audit installed dependencies immediately.

For Investors

Supply chain attacks on developer tooling highlight structural risk in crypto infrastructure; projects with weak dependency-vetting processes face reputational and operational exposure.

For Builders

Review your package.json, requirements.txt, and Cargo.toml for any suspicious or newly-updated dependencies; implement pinned versions and vendor critical libraries locally.