TrapDoor Supply Chain Attack Targets npm, PyPI, and Crates.io, Steals Credentials, Crypto
Published
Key Takeaways
- Multi-Registry Campaign: A supply chain attack tracked as TrapDoor targets developers via npm, PyPI, and Crates.io packages.
- Extensive Credential Theft: The malware steals SSH keys, crypto wallets, and cloud credentials.
- Coordinated Execution Paths: Attackers use ecosystem-specific scripts to deploy malicious payloads.
A widespread supply chain attack dubbed TrapDoor targets the npm, PyPI, and Crates.io registries, involving over 34 malicious packages and more than 384 related versions and artifacts. The earliest observed instance was the PyPI package eth-security-auditor 0.1.0, uploaded on May 22, 2026, at 20:20:18 UTC.
The TrapDoor crypto stealer campaign specifically targets developers operating within the crypto, DeFi, Solana, and AI communities.
Comprehensive Developer Data Theft
The malicious packages are engineered to extract highly sensitive local developer data, Socket researchers have identified. The malware harvests:
- browser profile data,
- browser login databases,
- crypto wallet extension data,
- environment variables,
- API keys,
- local development configuration files
- SSH keys,
- Sui, Solana, and Aptos wallet data,
- AWS credentials,
- GitHub tokens.
The campaign attempts SSH-based lateral movement and persistence via .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH.
The attacker-controlled GitHub Pages repository contains a supposed playbook. “The document should not be treated as a one-to-one list of confirmed runtime behavior,” the report advises, adding that the description calls it a partially implemented design document.
The threat actor orchestrates this campaign using the GitHub account ddjidd564 and opens pull requests against multiple AI and developer tooling projects, including browser-use/browser-use, langchain-ai/langchain, langflow-ai/langflow, run-llama/llama_index, FoundationAgents/MetaGPT, and OpenHands/OpenHands.
“The GitHub activity shows signs of rapid, AI-assisted-style iteration,” the report says, such as:
- broad security-themed scaffolding,
- generic lure repositories,
- prompt-injection documentation,
- partially implemented extraction concepts mixed with working malware components.
Ecosystem-Specific Execution Mechanisms
To deploy the malware efficiently, the attackers utilize tailored execution paths for each targeted registry. The npm packages rely on postinstall hooks to trigger a shared payload named trap-core.js.
The PyPI packages are configured to execute remote JavaScript payloads immediately upon import. Meanwhile, the Crates.io packages deploy malicious build.rs scripts that specifically target Sui and Move developers during the compilation process.
Socket has classified all identified TrapDoor campaign packages as malicious and formally reported the infrastructure and artifacts to the affected package registries.
In other recent news, the compromised art-template npm package was seen delivering a Corona-like iOS exploit.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular