TrapDoor: a new supply chain attack via npm, PyPI, and Crates.io

A newly identified, coordinated software supply chain attack campaign has targeted multiple package ecosystems. The campaign affects npm, PyPI, and Crates.io and is being used to distribute malware designed to steal credentials.

The campaign, tracked under the codename TrapDoor, includes more than 34 malicious packages released across over 384 versions. The earliest known activity was observed on May 22, 2026, at 8:20 p.m. UTC. New packages were then published to the affected ecosystems in waves, with a cluster of accounts releasing them in rapid succession.

According to Socket, TrapDoor is aimed at developers working in crypto, DeFi, Solana, and AI-related communities. The malicious packages are built to steal developer secrets, crypto wallets, SSH keys, cloud credentials, browser data, and environment variables.

Socket also reported that several npm packages deploy a shared payload named trap-core.js. This payload searches for credentials, checks AWS and GitHub tokens, attempts lateral movement over SSH, and establishes persistence through .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH.

It is important to note that this activity is unrelated to another campaign with the same name. That separate campaign was described last week by HUMAN’s Satori Threat Intelligence and Research Team. It involved ad fraud through the distribution of 455 Android apps via the Google Play Store.

The list of identified packages is below:

Crates.io
  • move-analyzer-build
  • move-compiler-tools
  • move-project-builder
  • sui-framework-helpers
  • sui-move-build-helper
  • sui-sdk-build-utils
npm
  • async-pipeline-builder
  • build-scripts-utils
  • chain-key-validator
  • crypto-credential-scanner
  • defi-env-auditor
  • defi-threat-scanner
  • deployment-key-auditor
  • dev-env-bootstrapper
  • eth-wallet-sentinel
  • llm-context-compressor
  • mnemonic-safety-check
  • model-switch-router
  • node-setup-helpers
  • project-init-tools
  • prompt-engineering-toolkit
  • solidity-deploy-guard
  • token-usage-tracker
  • wallet-backup-verifier
  • wallet-security-checker
  • web3-secrets-detector
  • workspace-config-loader
PyPI
  • cryptowallet-safety
  • data-pipeline-check
  • defi-risk-scanner
  • env-loader-cli
  • eth-security-auditor
  • git-config-sync
  • solidity-build-guard

The operation stands out because it uses several different delivery methods. These include postinstall hooks, remote JavaScript payloads executed during package imports, and malicious build.rs scripts aimed at Sui and Move developers. The packages present themselves as seemingly harmless tools, which allows the attackers to reach a wide range of potential targets.

The npm packages were found to execute a JavaScript payload called trap-core.js.

This payload scans for credentials and developer secrets. It also validates stolen credentials through AWS and GitHub API calls. In addition, it creates persistence on the host through cron jobs, systemd services, and Git hooks. It can also move across the network through SSH.

The Rust crates follow a similar pattern.

They search for local keystores, encrypt the collected data with a hardcoded XOR key, and exfiltrate it to GitHub Gists. These packages are also notable because they use a build script, build.rs, to trigger execution of the malicious code.

The Python packages linked to TrapDoor are designed to execute automatically when imported.

Their main purpose is to download JavaScript from an attacker-controlled GitHub Pages domain, ddjidd564.github[.]io. The downloaded code is then executed with the command node -e.

Socket explained that this approach allows a Python package to hand off execution to a remote JavaScript payload. This gives the attacker more flexibility after the package has already been published. By hosting the payload externally, the attacker can modify its behavior without releasing a new version on PyPI.

One unusual element of the campaign is the use of .cursorrules and CLAUDE.md files containing hidden instructions. These instructions are designed to manipulate artificial intelligence assistants into running a “security scan” that leads to the discovery and exfiltration of secrets. This is carried out by opening GitHub pull requests across popular AI and developer projects, including browser-use/browser-use, langchain-ai/langchain, and langflow-ai/langflow.

The pull request activity suggests that TrapDoor goes beyond publishing malicious packages to open-source ecosystems. According to Socket, the threat actor is likely testing whether AI-related project files can be introduced through normal open-source contribution workflows. If successful, AI coding tools may parse the hidden instructions and apply them.

Final Thoughts

The findings once again show that threat actors are increasingly focusing on developer workflows. Their goal is to steal a broad range of information that could allow them to move deeper into target environments and prepare follow-on attacks.

Socket assessed that TrapDoor demonstrates how attackers are combining traditional package typosquatting with newer attack paths targeting developer environments. The package names are crafted to look relevant to crypto development, AI tooling, local environment setup, and security workflows. The malware then relies on execution methods specific to each ecosystem: build.rs in Rust, postinstall hooks in npm, and execution during import in Python.

Sourse

Request a free Mend.io trial to detect malicious packages



    Subscribe to news