TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and Crates.io

A newly coordinated cross-ecosystem software supply chain attack campaign has specifically targeted npm, PyPI, and Crates.io to disseminate credential-stealing malware.

Referred to as TrapDoor, the campaign encompasses over 34 malicious packages across more than 384 distinct versions. The earliest recorded activity occurred on May 22, 2026, at 8:20 p.m. UTC, with a series of new packages being published in rapid succession from a cluster of accounts.

According to analysis from Socket, "TrapDoor primarily focuses on developers in the crypto, DeFi, Solana, and AI sectors." The malicious packages are orchestrated to extract sensitive information such as developer secrets, crypto wallets, SSH keys, cloud credentials, browser data, and environment variables.

Certain npm packages utilize a shared malicious payload, known as trap-core.js, which scans for credentials, validates AWS and GitHub tokens, executes SSH-based lateral movement, and establishes persistence via .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron jobs, and SSH configurations.

It is essential to clarify that this ongoing activity bears no relation to a different campaign under the same name that was involved in ad fraud through the distribution of 455 Android apps on the Google Play Store.

Identified Malicious Packages

Crates.io

• move-analyzer-build
• move-compiler-tools
• move-project-builder
• sui-framework-helpers
• sui-move-build-helper
• sui-sdk-build-utils

npm

• async-pipeline-builder
• build-scripts-utils
• chain-key-validator
• crypto-credential-scanner
• defi-env-auditor
• defi-threat-scanner
• deployment-key-auditor
• dev-env-bootstrapper
• eth-wallet-sentinel
• llm-context-compressor
• mnemonic-safety-check
• model-switch-router
• node-setup-helpers
• project-init-tools
• prompt-engineering-toolkit
• solidity-deploy-guard
• token-usage-tracker
• wallet-backup-verifier
• wallet-security-checker
• web3-secrets-detector
• workspace-config-loader

PyPI

• cryptowallet-safety
• data-pipeline-check
• defi-risk-scanner
• env-loader-cli
• eth-security-auditor
• git-config-sync
• solidity-build-guard

Attack Mechanisms

This operation is distinguished by its multifaceted delivery methods, employing postinstall hooks, remote JavaScript payloads that execute upon package import, and malicious build.rs scripts aimed at Sui and Move developers. The packages are disguised as innocuous tools, thereby enabling attackers to extend their reach to a broad audience.

The npm packages execute a JavaScript payload ("trap-core.js") that inspects for credentials and developer secrets, authenticates stolen credentials through AWS and GitHub API calls, and ensures persistence on the host through cron jobs, systemd services, and Git hooks, while also facilitating lateral movement via SSH.

The Rust crates actively search for local keystores, encrypt the data with a hardcoded XOR key, and exfiltrate the information to GitHub Gists. The execution of the malicious code is triggered through a build script ("build.rs").

For the Python packages, they are devised to auto-execute upon import. The central aim of these packages is to download JavaScript from a domain controlled by the attacker ("ddjidd564.github[.]io") and run it using "node -e."

"This technique empowers the Python package to delegate execution to a remote JavaScript payload, granting the attacker enhanced flexibility post-publication," Socket elucidated. "By externally hosting the payload, the attacker retains the capability to alter functionality without necessitating the release of a new version on PyPI."

AI-Assisted Attack Techniques

A striking feature of this campaign involves embedding .cursorrules and CLAUDE.md files that contain concealed instructions intended to mislead artificial intelligence (AI) assistants into performing a "security scan," ultimately leading to the discovery and exfiltration of secrets. This is executed by submitting GitHub pull requests (PRs) across prominent AI and developer projects, including "browser-use/browser-use," "langchain-ai/langchain," and "langflow-ai/langflow."

The activity surrounding these PR submissions suggests that TrapDoor's scope extends beyond merely distributing malicious packages to open-source ecosystems. Socket indicated that the threat actor is likely experimenting with the potential for integrating AI-related project files via standard open-source contribution processes, thus enabling AI coding tools to parse and respond to those hidden directives.

Broader Implications

These findings underscore the increasing trend of threat actors targeting developer workflows with the intent to harvest a wide array of information, which could facilitate further intrusions into targeted environments for subsequent attacks.

"TrapDoor exemplifies how attackers are fusing traditional package typosquatting methodologies with innovative attack vectors tailored to developers' environments," noted Socket. "The package names are intentionally crafted to appear relevant to crypto development, AI tools, local environment setups, and security practices. The malware subsequently leverages ecosystem-specific execution methods: build.rs for Rust, postinstall hooks for npm, and import-time execution for Python."