TrapDoor Supply Chain Attack Targets 34 Malicious Packages to Steal Developer Credentials Across npm, PyPI, and Crates.io
A significant coordinated software supply chain attack has emerged, targeting popular package ecosystems including npm, PyPI, and Crates.io. This campaign, dubbed TrapDoor, has been identified as distributing credential-stealing malware through over 34 malicious packages, encompassing more than 384 versions. The initial signs of this activity were detected on May 22, 2026, at 8:20 PM UTC, with a series of new packages released in rapid succession from a cluster of accounts.
Overview of the TrapDoor Campaign
The TrapDoor campaign specifically targets developers engaged in cryptocurrency, decentralized finance (DeFi), Solana, and artificial intelligence (AI) sectors. According to Socket, the malicious packages are engineered to extract sensitive information such as developer secrets, cryptocurrency wallets, SSH keys, cloud credentials, browser data, and environment variables.
Several npm packages within this campaign utilize a shared payload known as trap-core.js. This script is capable of scanning for credentials, validating AWS and GitHub tokens, executing lateral movement via SSH, and establishing persistence through various methods, including .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron jobs, and SSH.
It is important to clarify that this operation is unrelated to another campaign of the same name, which was reported by HUMAN’s Satori threat intelligence and Research Team. That campaign was focused on ad fraud, distributing 455 Android applications through the Google Play Store.
Identified Malicious Packages
The following list outlines the malicious packages associated with the TrapDoor campaign:
Crates.io
- move-analyzer-build
- move-compiler-tools
- move-project-builder
- sui-framework-helpers
- sui-move-build-helper
- sui-sdk-build-utils
npm
- async-pipeline-builder
- build-scripts-utils
- chain-key-validator
- crypto-credential-scanner
- defi-env-auditor
- defi-threat-scanner
- deployment-key-auditor
- dev-env-bootstrapper
- eth-wallet-sentinel
- llm-context-compressor
- mnemonic-safety-check
- model-switch-router
- node-setup-helpers
- project-init-tools
- prompt-engineering-toolkit
- solidity-deploy-guard
- token-usage-tracker
- wallet-backup-verifier
- wallet-security-checker
- web3-secrets-detector
- workspace-config-loader
PyPI
- cryptowallet-safety
- data-pipeline-check
- defi-risk-scanner
- env-loader-cli
- eth-security-auditor
- git-config-sync
- solidity-build-guard
Delivery Mechanisms and Technical Details
The TrapDoor operation is characterized by its diverse delivery mechanisms. It employs postinstall hooks, remote JavaScript payloads executed during package imports, and malicious build scripts targeting Sui and Move developers. The packages are designed to appear innocuous, allowing attackers to reach a wide audience.
The npm packages execute a JavaScript payload, trap-core.js, which scans for credentials and developer secrets. It validates stolen credentials through AWS and GitHub API calls and establishes persistence on the host using cron jobs, systemd services, and Git hooks, facilitating lateral movement via SSH.
Similarly, the Rust crates are programmed to search for local keystores, encrypt the data using a hardcoded XOR key, and exfiltrate it to GitHub Gists. These packages leverage a build script (build.rs) to initiate the execution of the malicious code.
Python Package Execution and Remote Payloads
The Python packages associated with TrapDoor are designed for automatic execution upon import. Their primary function is to download JavaScript from an attacker-controlled GitHub Pages domain, executing it using the command “node -e.” This method allows the Python package to delegate execution to a remote payload, providing the attacker with enhanced flexibility post-publication. By hosting the payload externally, the attacker can modify its behavior without the need for a new PyPI release.
An unusual aspect of this campaign involves embedding .cursorrules and CLAUDE.md files containing hidden instructions aimed at tricking AI assistants into executing a “security scan.” This tactic leads to the discovery and exfiltration of secrets. The attackers have been observed opening GitHub pull requests across various popular AI and developer projects, including “browser-use/browser-use,” “langchain-ai/langchain,” and “langflow-ai/langflow.”
Broader Implications and Industry Impact
The PR activity associated with TrapDoor suggests that the threat actor is testing the waters for introducing AI-related project files through conventional open-source contribution workflows. This strategy could enable AI coding tools to parse and apply the hidden instructions embedded within these files.
The findings underscore a growing trend in which threat actors are increasingly targeting developer workflows. Their goal is to steal a wide array of information that could facilitate deeper infiltration into target environments for subsequent attacks.
The TrapDoor campaign exemplifies how attackers are merging traditional package typosquatting techniques with newer attack vectors targeting developer environments. The package names are crafted to appear relevant to crypto development, AI tooling, local environment setup, and security workflows. The malware utilizes ecosystem-specific execution paths, including build.rs in Rust, postinstall hooks in npm, and import-time execution in Python.
For a comprehensive overview of the identified packages, refer to the source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
