TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware Across npm, PyPI, and CratesIO

A new sophisticated supply chain attack campaign, codenamed TrapDoor, is actively targeting developers across npm, PyPI, and Crates.io with credential-stealing malware. The campaign spans more than 34 malicious packages published across over 384 versions, demonstrating a coordinated effort to compromise developer environments across multiple ecosystems.

"TrapDoor targets developers in crypto, DeFi, Solana, and AI communities," explained researchers at Socket, who first identified the campaign. "The malicious packages are designed to steal developer secrets, crypto wallets, SSH keys, cloud credentials, browser data, and environment variables."

The earliest activity was recorded on May 22, 2026, at 8:20 p.m. UTC, with new packages published in waves from a cluster of accounts in quick succession. This pattern suggests a well-organized operation rather than opportunistic attacks.

Diverse Attack Techniques Across Ecosystems

The campaign employs different techniques tailored to each ecosystem:

• npm packages use postinstall hooks and execute a shared JavaScript payload ("trap-core.js") that scans for credentials, validates AWS and GitHub tokens, attempts SSH-based lateral movement, and establishes persistence through multiple mechanisms including .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH.

• Rust crates in Crates.io search for local keystores, encrypt the data using a hardcoded XOR key, and exfiltrate it to GitHub Gists. They also use build.rs scripts to trigger malicious code execution.

• Python packages on PyPI are designed to auto-execute on import, downloading JavaScript from an attacker-controlled GitHub Pages domain ("ddjidd564.github[.]io") and running it with "node -e." This technique allows attackers to update behavior without publishing new PyPI releases.

AI-Assisted Attack Vector

An unusual aspect of the campaign involves implanting .cursorrules and CLAUDE.md files containing hidden instructions designed to trick AI assistants into running "security scans" that result in secret discovery and exfiltration.

The attackers have opened GitHub pull requests across popular AI and developer projects, including "browser-use/browser-use," "langchain-ai/langchain," and "langflow-ai/langflow." This suggests TrapDoor extends beyond pushing malicious packages to attempting manipulation of AI coding tools themselves.

"The PR activity indicates that the threat actor is likely testing whether AI-related project files can be introduced through regular open-source contribution workflows, thereby causing AI coding tools to parse those hidden instructions and apply them," Socket researchers noted.

Full List of Identified Malicious Packages

The comprehensive list of identified packages across all ecosystems includes:

Crates.io:

• move-analyzer-build
• move-compiler-tools
• move-project-builder
• sui-framework-helpers
• sui-move-build-helper
• sui-sdk-build-utils

npm:

• async-pipeline-builder
• build-scripts-utils
• chain-key-validator
• crypto-credential-scanner
• defi-env-auditor
• defi-threat-scanner
• deployment-key-auditor
• dev-env-bootstrapper
• eth-wallet-sentinel
• llm-context-compressor
• mnemonic-safety-check
• model-switch-router
• node-setup-helpers
• project-init-tools
• prompt-engineering-toolkit
• solidity-deploy-guard
• token-usage-tracker
• wallet-backup-verifier
• wallet-security-checker
• web3-secrets-detector
• workspace-config-loader

PyPI:

• cryptowallet-safety
• data-pipeline-check
• defi-risk-scanner
• env-loader-cli
• eth-security-auditor
• git-config-sync
• solidity-build-guard

Implications for Developer Security

The TrapDoor campaign highlights how attackers are increasingly targeting developer workflows as part of the software supply chain. "TrapDoor shows how attackers are combining traditional package typosquatting with newer developer-environment attack paths," Socket researchers explained. "The package names are tailored to appear relevant to crypto development, AI tooling, local environment setup, and security workflows."

For developers, this campaign underscores the importance of:

1. Verifying package authenticity and publisher reputation before installation
2. Regularly auditing dependencies in projects
3. Implementing code review processes for all package additions
4. Monitoring for unusual file modifications like .cursorrules or CLAUDE.md
5. Using credential managers and avoiding storing secrets in environment variables
6. Implementing network segmentation to limit lateral movement

The findings demonstrate a concerning evolution in supply chain attacks, with threat actors developing increasingly sophisticated methods to compromise developer environments and steal valuable credentials that could enable deeper access to target systems.

Developers and security teams should remain vigilant and consider implementing additional security controls around package management and developer environments to mitigate the risks posed by campaigns like TrapDoor.