New 'TrapDoor' Virus Steals Crypto Wallets: Solana, DeFi, AI Developers Under Threat

Cover image via www.freepik.com Disclaimer: The opinions expressed by our writers are their own and do not represent the views of U.Today. The financial and market information provided on U.Today is intended for informational purposes only. U.Today is not liable for any financial losses incurred while trading cryptocurrencies. Conduct your own research by contacting financial experts before making any investment decisions. We believe that all content is accurate as of the date of publication, but certain offers mentioned may no longer be available. Cybersecurity lab SlowMist has issued an emergency security warning under the code SM-2026-352284. According to the official statement, an active cross-registry supply chain attack has been detected, targeting creators of Web3 and AI products. Advertisement Hackers injected more than 34 malicious packages and 384 associated versions into the largest repositories, including npm, PyPI and Crates.io, directly targeting developers in the Solana , DeFi, and AI ecosystems. The incident is unfolding against the backdrop of April's anti-record, when the DeFi sector lost an unprecedented $635 million across 28 hacks. Although the scale of direct smart contract exploits declined in May, SlowMist telemetry shows a fundamental change in attacker tactics. HOT Stories Crypto King Barry Silbert: Privacy Era is Here Zcash (ZEC) Paints Falling Star as Momentum Fades, Toncoin (TON) on Verge of Bullish Boundary, Shiba Inu (SHIB) Price Reset Is Near: Crypto Market Review Security warning under the code SM-2026-352284 about TrapDoor, Source: SlowMist Threat actors have moved their focus from attacking protected servers to covertly compromising engineers' personal devices. Advertisement How TrapDoor hijacks "vibe coding" SlowMist's analysis showed that TrapDoor is designed for full compromise of developer workstations. The malware steals crypto wallets, cloud tokens such as AWS and GitHub credentials, and access keys, sending them to addresses controlled by the attackers. Conceptually, the scheme repeats the logic of the well-known npm worm "Mini Shai-Hulud". To maintain covert persistence in the system, the payload writes itself directly into AI assistant configuration files such as .cursorrules and CLAUDE.md, while also hiding inside Git hooks and automation scripts. In repositories, the software is disguised as AI plugins and build utilities for Sui and Move. Advertisement You Might Also Like Mon, 05/25/2026 - 10:54 BlackRock Sells $1 Billion of Bitcoin After Poor ETF Performance By Caroline Amosun The incident is worsened by the trend of "vibe coding", where engineers assemble projects through prompts and blindly connect dozens of nested libraries. As a result, AI agents automatically download malicious code onto machines where smart editors have direct access to local configuration files. Due to the critical status of the threat, SlowMist instructs teams to immediately remove the affected packages, isolate infected systems, preserve logs and launch a three-stage remediation protocol: AI configuration audit: Manually inspect local .cursorrules and CLAUDE.md files for third-party or anomalous instructions. Total credential rotation: Force-revoke and reissue all encryption keys, cloud tokens and GitHub secrets used on the devices. Full environment rebuild: Purge and reset build environments, then fully reinstall developer work environments from fresh system images. #DeFi Scam #Solana #Hack News