A significant cyberattack has been discovered that targeted developers working on cryptocurrency and artificial intelligence projects. Cybersecurity firm SlowMist identified the attack, named “TrapDoor,” and found it spread through infected software packages on widely used platforms like npm, PyPI, and Crates.io. This compromised sensitive information, including cryptocurrency wallets, cloud login details, and developer access keys.
Security researchers first detected the malicious activity on May 24th. They discovered attackers had uploaded over 34 harmful software packages, including 384 infected versions that looked like legitimate tools for developers. This campaign primarily aimed at teams working on applications related to cryptocurrency, decentralized finance (DeFi), Solana, Sui, and artificial intelligence.
We’ve published a detailed technical report analyzing the TrapDoor campaign, which involves the theft of supply chain credentials across different systems. This campaign was initially reported by Socket Security on May 24th. Since then, our team has been actively investigating it using our MistEye threat…
— SlowMist (@SlowMist_Team) May 28, 2026
Security firm SlowMist discovered that hackers secretly added harmful code to the way software is installed and created. This meant that when developers downloaded common software components or opened projects that had been tampered with, the malicious code would automatically run. Experts are calling this attack one of the biggest of its kind in 2026, as the hackers targeted systems used across many different programming languages and platforms.
Attackers exploited trusted developer tools
According to SlowMist, the attackers hid their harmful activity by using legitimate developer tools like GitHub Pages, GitHub Gists, and webhook.site, making it appear as standard coding work. The malware then stole sensitive information – including SSH keys, browser data, Amazon Web Services credentials, cryptocurrency wallet files, and API tokens – and sent it to servers controlled by the hackers.
Investigators discovered a clear link between the Python and JavaScript versions of the malicious software, as they both used the same online resources connected to the website ddjidd564.github.io. The version written in Rust, however, appeared different and didn’t share as many connections, despite also targeting developers who work with cryptocurrencies.
Security firm SlowMist found that the most complex aspect of this attack involved a compromised npm package. The malware didn’t just steal login information; it also modified important system files like Git settings and files used by AI coding tools such as .cursorrules and CLAUDE.md. The attackers attempted to distribute harmful code through AI coding processes by hiding instructions using invisible characters and manipulating prompts.
AI coding assistants become a new security risk
Experts are cautioning that a recent incident highlights the dangers developers face as they rely more and more on AI tools to help them write code. Security firm SlowMist discovered that the malicious code included secret commands meant to tamper with AI coding assistants like Cursor and Claude Code. This could allow the malware to spread and cause further problems in future coding projects, even after the initial infection is addressed.
According to the report, the attackers compromised developer systems by disguising malicious software as standard software updates. This allowed them to maintain access for an extended period. The malware was designed to be stealthy, automatically reinstalling itself using common system tools like scripts and Git without alerting users.
SlowMist is advising developers who may have been impacted to change their passwords right away, get rid of any potentially harmful software packages, and thoroughly check their systems for signs of the security issue identified by the “P-2024-001” code and related web addresses.
Read More
- Off Campus Season 1 Soundtrack Guide
- Chainsaw Man Volume 24’s Cover Art Reveals a Brand-New Denji
- DoorDash responds after customer uses AI to make food look bad and get a refund
- Euphoria Season 3’s New R-Rated Sydney Sweeney Scene Proves The Show Is Trolling Us
- Hideo Kojima says Metal Gear Solid 2 became the future he hoped would not happen
- Dragon Quest II HD-2D Remake: Where to get the Magic Key
- Gold Rate Forecast
- How to Get to the Undercoast in Esoteric Ebb
- Umamusume has been transformed into a D&D game with new race
- HSR Banner Schedule (Honkai Star Rail)
2026-05-28 16:20