TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO

Ravie LakshmananMay 25, 2026Supply Chain Attack / Malware

A new coordinated cross-ecosystem software supply chain attack campaign has targeted npm, PyPI, and Crates.io to distribute credential-stealing malware.

The campaign, codenamed TrapDoor, spans more than 34 malicious packages across over 384 versions. The earliest activity was recorded on May 22, 2026, at 8:20 p.m. UTC, with new packages published to the ecosystems in waves from a cluster of accounts in quick succession.

"TrapDoor targets developers in crypto, DeFi, Solana, and AI communities," Socket said. "The malicious packages are designed to steal developer secrets, crypto wallets, SSH keys, cloud credentials, browser data, and environment variables."

"Several npm packages also deploy a shared payload, trap-core.js, that scans for credentials, validates AWS and GitHub tokens, attempts SSH-based lateral movement, and plants persistence through .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH."

It's worth noting that the activity has no connection to another campaign of the same name that HUMAN's Satori Threat Intelligence and Research Team detailed last week as engaging in ad fraud by distributing 455 Android apps through the Google Play Store.

The list of identified packages is below -

Crates.io move-analyzer-build move-compiler-tools move-project-builder sui-framework-helpers sui-move-build-helper sui-sdk-build-utils npm async-pipeline-builder build-scripts-utils chain-key-validator crypto-credential-scanner defi-env-auditor defi-threat-scanner deployment-key-auditor dev-env-bootstrapper eth-wallet-sentinel llm-context-compressor mnemonic-safety-check model-switch-router node-setup-helpers project-init-tools prompt-engineering-toolkit solidity-deploy-guard token-usage-tracker wallet-backup-verifier wallet-security-checker web3-secrets-detector workspace-config-loader PyPI cryptowallet-safety data-pipeline-check defi-risk-scanner env-loader-cli eth-security-auditor git-config-sync solidity-build-guard

The operation is notable for its diverse delivery paths, using postinstall hooks, remote JavaScript payloads that are executed during package imports, and malicious build.rs scripts to target Sui and Move developers. The packages masquerade as seemingly harmless tools, giving attackers the ability to reach a broad audience.

The npm packages have been found to run a JavaScript payload ("trap-core.js"), which scans for credentials and developer secrets, validates stolen credentials using AWS and GitHub API calls, and creates persistence on the host using cron jobs, systemd services, Git hooks, and moves across the network via SSH.

The Rust crates, in a similar fashion, search for local keystores, encrypt the data using a hardcoded XOR key, and exfiltrate it to GitHub Gists. The packages are also noteworthy for the use of a build script ("build.rs") to trigger the execution of the malicious code.

The Python packages associated with TrapDoor are designed such that they are auto-executed on import. The primary goal of the packages is to download JavaScript from an attacker-controlled GitHub Pages domain ("ddjidd564.github[.]io"), and run it using "node -e."

"This technique allows the Python package to delegate execution to a remote JavaScript payload, giving the attacker more flexibility after publication," Socket explained. "By hosting the payload externally, the attacker can update behavior without publishing a new PyPI release."

An unusual aspect of the campaign is the implanting of .cursorrules and CLAUDE.md containing hidden instructions to trick artificial intelligence (AI) assistants into running a "security scan" that results in secret discovery and exfiltration. This is achieved by opening GitHub pull requests (PRs) across popular AI and developer projects, including "browser-use/browser-use," "langchain-ai/langchain," and "langflow-ai/langflow."

The PR activity indicates that TrapDoor extends beyond pushing malicious packages to open-source ecosystems. Socket said the threat actor is likely testing whether AI-related project files can be introduced through regular open-source contribution workflows, thereby causing AI coding tools to parse those hidden instructions and apply them.

The findings once again demonstrate how threat actors are increasingly targeting developer workflows, aiming to steal a wide range of information that could make it possible to burrow deeper into target environments for follow-on attacks.

"TrapDoor shows how attackers are combining traditional package typosquatting with newer developer-environment attack paths," Socket said. "The package names are tailored to appear relevant to crypto development, AI tooling, local environment setup, and security workflows. The malware then uses ecosystem-specific execution paths: build.rs in Rust, postinstall hooks in npm, and import-time execution in Python."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

SHARE    

Tweet Share Share Share

SHARE  artificial intelligence, Cloud security, cybersecurity, Malware, NPM, Open Source, PyPI, Supply Chain Attack

⚡ Top Stories This Week

Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software

Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows

ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories

Microsoft Warns of Two Actively Exploited Defender Vulnerabilities

9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros

GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension

GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos

Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit

DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability

⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More

Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws

MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems

NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE

Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective

The New Phishing Click: How OAuth Consent Bypasses MFA

Developer Workstations Are Now Part of the Software Supply Chain

⭐ Featured Resources

Claim ANY.RUN Anniversary Offer for Faster Malware Analysis

[Guide] Learn to Detect AI Typosquatting Risks in Your Domain

[Guide] Get Key Identity Security Insights From 2026 Snapshot

Discover How to Navigate the Era of Constant Cyber Exposure

Cybersecurity Webinars

With HD Moore (Creator of Metasploit) Learn How to Detect Threats Beyond Zero Day Attacks Learn practical strategies to detect and defend against cyber threats beyond zero-day vulnerabilities. Register

Tired of False Positives? Validate Automated Pentesting Results Before Acting Learn how to validate automated pentesting results for accurate security decisions. Register

⚡ Latest News

Cybersecurity Resources

AI Is Reshaping Every Attack Surface. Train for What's NextSANSFIRE 2026 in D.C. brings 50+ courses, AI-focused sessions, and NetWars. July 13–18. Save $500. Your VPN is Helping Attackers Move as Fast as AIAI collapsed human response window and turned remote access into fastest path to breach. Earn a Master's in Cybersecurity Risk ManagementLead the future of cybersecurity risk management with an online Master’s from Georgetown.

Expert Insights Articles Videos

You Can't Patch Your Way Out of This One

May 25, 2026 Read ➝

How to Test Ransomware Recovery Without Reinfecting Your Environment

May 25, 2026 Read ➝

The Scam Before the Game: CTM360 Reveals Threats Targeting FIFA World Cup 2026 Fans

May 25, 2026 Read ➝

7 Signs Your Organization Is Vulnerable to Business Email Compromise

May 18, 2026 Read ➝

Get the Latest News in Your Inbox Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.