A new coordinated cross-ecosystem software supply chain attack campaign targets npm, PyPI, and Crates.io and distributes credential-stealing malware.
The campaign, codenamed “TrapDoor,” spans over 34 malicious packages across over 384 versions. The oldest activity was recorded on May 22, 2026 at 8:20 PM UTC, when new packages were published to the ecosystem from a cluster of accounts in quick succession.
“Trapdoor targets developers in the crypto, DeFi, Solana, and AI communities,” Socket said. “The malicious package is designed to steal developer secrets, crypto wallets, SSH keys, cloud credentials, browser data, and environment variables.”
“Some npm packages also deploy a shared payload, trap-core.js, that scans credentials, validates AWS and GitHub tokens, attempts SSH-based lateral movement, and establishes persistence via .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH.”
It is worth noting that this activity is unrelated to another campaign of the same name detailed last week by HUMAN’s Satori Threat Intelligence and Investigations team for committing ad fraud by distributing 455 Android apps through the Google Play Store.
The list of identified packages is below –
Crates.io move-analyzer-build move-compiler-tools move-project-builder sui-framework-helpers sui-move-build-helper sui-sdk-build-utils npm async-pipeline-builder build-scripts-utils chain-key-validator crypto-credential-scanner defi-env-auditor defi-threat-scanner Deployment Key Audit Audit dev-env-bootstrapper eth-wallet-sentinel llm-context-compressor Mnemonic Safety Check Model Switch Router Node Setup Helper Project Initialization Tool Prompt Engineering Toolkit Solidity Deployment Guard Token Usage Tracker Wallet Backup Verifier Wallet Security Checker web3-secrets-detector workspace-config-loader PyPI cryptowallet-safety data-pipeline-check defi-risk-scanner env-loader-cli eth-security-auditor git-config-sync Solidity-build-guard
This operation is notable for its diverse delivery paths, using post-installation hooks, remote JavaScript payloads executed during package import, and malicious build.rs scripts targeting Sui and Move developers. This package disguises itself as a seemingly harmless tool, giving attackers the ability to reach a wide audience.
The npm package is known to execute a JavaScript payload (‘trap-core.js’). It scans for credentials and developer secrets, validates stolen credentials using AWS and GitHub API calls, creates persistence on the host using cron jobs, systemd services, Git hooks, and moves over the network via SSH.
Rust crates search the local keystore in a similar manner, encrypt the data using a hardcoded XOR key, and exfiltrate it to GitHub Gists. This package is also notable for its use of a build script (‘build.rs’) that triggers the execution of malicious code.
The Python packages associated with TrapDoor are designed to run automatically upon import. The main purpose of the package is to download JavaScript from the attacker-controlled GitHub Pages domain (‘ddjidd564.github’).[.]io”), run using “node -e”.
“This technique allows a Python package to delegate execution to a remote JavaScript payload, giving attackers flexibility after publication,” Socket explained. “By hosting the payload externally, an attacker can update the behavior without publishing a new PyPI release.”
What’s unusual about this campaign is that it embeds .cursorrules and CLAUDE.md that contain hidden instructions to trick artificial intelligence (AI) assistants into performing “security scans” that lead to the discovery and exfiltration of secrets. This is accomplished by opening GitHub pull requests (PRs) across common AI and developer projects such as “browser-use/browser-use”, “langchain-ai/langchain”, and “langflow-ai/langflow”.
The PR activity shows that TrapDoor does more than push malicious packages into the open source ecosystem. Socket said the attacker is likely testing whether AI-related project files can be introduced through normal open source contribution workflows, allowing AI coding tools to parse and apply these hidden instructions.
Our findings demonstrate once again that attackers are increasingly targeting developer workflows, aiming to steal a wide range of information that could allow them to penetrate deeper into the target environment for subsequent attacks.
“TrapDoor shows how attackers are combining traditional package typosquatting with new developer environment attack vectors,” Socket said. “Package names are tailored to be relevant to crypto development, AI tools, local environment setup, and security workflows. The malware uses ecosystem-specific execution paths: Rust’s build.rs, npm’s postinstall hooks, and Python’s run-on-import.”
Source link
