TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO

A recently identified coordinated cross-ecosystem software supply chain attack, designated TrapDoor, has successfully targeted npm, PyPI, and Crates.io to disseminate credential-stealing malware.

This campaign encompasses more than 34 malicious packages spanning over 384 different versions, with the first signs of activity detected on May 22, 2026, at 8:20 p.m. UTC. New packages have been introduced to the respective ecosystems in rapid succession from a series of accounts.

According to security firm Socket, "TrapDoor specifically focuses on developers operating in the crypto, DeFi, Solana, and AI sectors." The malicious packages are engineered to extract sensitive information such as developer credentials, crypto wallets, SSH keys, cloud credentials, browser data, and environment variables.

In particular, multiple npm packages deploy a shared payload known as trap-core.js, which performs credential scanning, validates AWS and GitHub tokens, attempts lateral movement via SSH, and establishes persistence through various methods including .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron jobs, and SSH.

It's essential to clarify that this activity is unrelated to another campaign of the same name known for engaging in ad fraud through the distribution of 455 Android applications via the Google Play Store.

Identified Malicious Packages

Crates.io

• move-analyzer-build
• move-compiler-tools
• move-project-builder
• sui-framework-helpers
• sui-move-build-helper
• sui-sdk-build-utils

npm

• async-pipeline-builder
• build-scripts-utils
• chain-key-validator
• crypto-credential-scanner
• defi-env-auditor
• defi-threat-scanner
• deployment-key-auditor
• dev-env-bootstrapper
• eth-wallet-sentinel
• llm-context-compressor
• mnemonic-safety-check
• model-switch-router
• node-setup-helpers
• project-init-tools
• prompt-engineering-toolkit
• solidity-deploy-guard
• token-usage-tracker
• wallet-backup-verifier
• wallet-security-checker
• web3-secrets-detector
• workspace-config-loader

PyPI

• cryptowallet-safety
• data-pipeline-check
• defi-risk-scanner
• env-loader-cli
• eth-security-auditor
• git-config-sync
• solidity-build-guard

Attack Mechanisms

The TrapDoor operation is notable for its multifaceted delivery methods, utilizing postinstall hooks, remote JavaScript payloads that execute upon package imports, and malicious build.rs scripts targeting Sui and Move developers. These packages are designed to appear innocuous, thereby enabling attackers to target a broad audience of developers.

The npm packages, in particular, are programmed to run a JavaScript payload ("trap-core.js") that scans for confidential data and developer secrets, validates stolen information using AWS and GitHub APIs, and achieves persistence on the host via cron jobs, systemd services, Git hooks, and SSH movements.

Similarly, the Rust crates employ methods to search for local keystores, encrypt the collected data using a hardcoded XOR key, and exfiltrate it to GitHub Gists. Notably, they utilize a build script ("build.rs") to initiate the execution of malicious code.

The Python packages associated with TrapDoor are crafted so that they automatically execute upon import. Their primary objective is to fetch JavaScript from an attacker-controlled GitHub Pages domain ("ddjidd564.github[.]io") and execute it using "node -e."

"This mechanism permits the Python package to delegate execution to an external JavaScript payload, granting the attacker increased flexibility post-publication," Socket observed. "By hosting the payload externally, the attacker can modify its behavior without necessitating a new PyPI release."

AI-Focused Attack Path

A distinctive feature of this campaign involves the insertion of .cursorrules and CLAUDE.md that contain covert instructions designed to manipulate artificial intelligence (AI) assistants into executing a "security scan," culminating in the discovery and exfiltration of confidential information. This technique is implemented by initiating GitHub pull requests (PRs) across notable AI and developer projects, such as "browser-use/browser-use," "langchain-ai/langchain," and "langflow-ai/langflow."

The activity surrounding these PRs signifies that TrapDoor's scope extends beyond merely pushing harmful packages into open-source ecosystems. According to Socket, the threat actor is likely exploring ways to introduce malicious files into AI-related projects through standard open-source contribution processes, thereby allowing AI coding tools to parse and act upon these concealed instructions.

Threat Assessment

The discoveries reemphasize the growing trend of threat actors targeting developer workflows with the intent to harvest a wide array of sensitive data that could facilitate deeper infiltrations into targeted environments for subsequent attacks.

"TrapDoor illustrates how attackers are merging traditional package typosquatting techniques with contemporary developer-environment attack vectors," Socket remarked. "The package names are meticulously crafted to resonate with crypto development, AI tools, local environment configuration, and security workflows. The malware exploits ecosystem-specific execution methods: build.rs within Rust, postinstall hooks in npm, and execution upon import in Python."