TrapDoor malware targets crypto and AI developers via open-source packages

Cybersecurity firm Socket has issued a warning about a new malware campaign dubbed TrapDoor. The attack specifically targets software developers working in cryptocurrency, decentralized finance (DeFi), and artificial intelligence (AI) sectors. According to a blog post from Socket, attackers are uploading malicious packages to widely used developer libraries such as npm and PyPI.

How TrapDoor infects

The threat actors behind TrapDoor embed malicious code inside seemingly legitimate packages. Developers who unknowingly download and install these packages into their projects become infected. Once active, the malware functions as an info-stealer. It extracts sensitive data from compromised systems. The primary targets include cryptocurrency wallet extensions like MetaMask and Phantom, as well as SSH keys and GitHub authentication tokens. By capturing these credentials, attackers can gain unauthorized access to digital assets and source code repositories, which can lead to asset theft.

Why this matters for crypto and AI developers

Developers in crypto, DeFi, and AI sectors often rely on open-source packages to build applications quickly. npm and PyPI ecosystems are particularly attractive to attackers because they are widely used and often trusted without thorough security vetting. TrapDoor exploits this trust, turning routine dependency installations into a serious security risk. The theft of MetaMask or Phantom wallet keys could result in losing cryptocurrency holdings. Similarly, compromised SSH keys and GitHub tokens could allow attackers to inject further malicious code into production environments or steal intellectual property. This attack highlights a growing trend in software supply chain threats. Malicious packages targeting developers are becoming more sophisticated. TrapDoor serves as a reminder that even trusted repositories can harbor dangerous code. For organizations building on blockchain or AI platforms, a single infected dependency can cascade into significant financial and reputational damage.

What developers should do

Socket advises developers to exercise caution when adding new dependencies to their projects. Security experts recommend verifying package integrity, using package lock files, and employing automated security tools that scan for suspicious behavior. Additionally, developers should consider using hardware wallets for storing cryptocurrency keys and enabling multi-factor authentication on GitHub accounts. The TrapDoor malware campaign is a targeted and evolving threat. By exploiting trust in open-source repositories, attackers are stealing sensitive credentials that can lead to financial loss and data breaches. Developers and organizations must remain vigilant and adopt proactive security measures to protect their workflows and assets.

The post TrapDoor malware targets crypto and AI developers via open-source packages appeared first on TheCryptoUpdates.