Home
News
Details

TrapDoor crypto theft campaign affects 34+ malicious packages across npm, PyPI, and Crates.io

iconKuCoinFlash
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
This is the logo of the coin.
SOL
$85.83-0.4%
This is the logo of the coin.
SUI
$1.0456-0.68%
This is the logo of the coin.
ETH
$2,115.17-0.12%
AI summary iconSummary

expand icon
A TrapDoor crypto theft campaign has been uncovered, affecting over 34 malicious packages across npm, PyPI, and Crates.io. Socket Security reported the attack, which targets developers in the AI and crypto news, DeFi, Solana, and Sui ecosystems. Attackers steal SSH keys, wallet data, AWS credentials, GitHub tokens, browser data, and environment variables. Socket has flagged the malicious packages and reported them to the relevant registries. Inflation data and crypto security remain key concerns as the attack highlights vulnerabilities in developer tools.

According to ME News, on May 25 (UTC+8), security firm Socket Security discovered a supply chain attack named TrapDoor, a cryptocurrency-stealing campaign involving over 34 malicious packages and 384 associated versions across npm, PyPI, and Crates.io platforms. The attack primarily targets developers in cryptocurrency, DeFi, Solana, Sui, Move, and AI. The attack method includes stealing SSH keys, wallet data, AWS credentials, GitHub tokens, browser data, and environment variables. Specifically: npm packages execute trap-core.js via postinstall hooks; PyPI packages run remote JavaScript upon import; and Crates.io packages exploit build.rs to harvest local keychains. Socket has flagged these malicious packages and reported them to the respective package registries. (Source: MLion)

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.