A fresh, coordinated software supply chain attack campaign has struck three major package repositories—npm, PyPI, and Crates.io—to spread malware designed to harvest sensitive credentials.
Dubbed TrapDoor, the operation involves more than 34 malicious packages spread across over 384 versions. The first signs of activity appeared on May 22, 2026, at 8:20 p.m. UTC, with batches of packages uploaded rapidly from a group of linked accounts.
“TrapDoor focuses on developers working in crypto, DeFi, Solana, and AI communities,” Socket reported. “The rogue packages aim to pilfer developer secrets, cryptocurrency wallets, SSH keys, cloud credentials, browser data, and environment variables.”
“Several npm packages also deliver a common payload called trap-core.js, which hunts for credentials, verifies AWS and GitHub tokens, tries to move laterally through SSH, and establishes persistence via .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH.”
It’s important to note that this campaign is unrelated to a separate operation with the same name that HUMAN’s Satori Threat Intelligence and Research Team described last week, which involved ad fraud through 455 Android apps distributed via the Google Play Store.
Below is the full list of identified packages –
-
Crates.io
- move-analyzer-build
- move-compiler-tools
- move-project-builder
- sui-framework-helpers
- sui-move-build-helper
- sui-sdk-build-utils
-
npm
- async-pipeline-builder
- build-scripts-utils
- chain-key-validator
- crypto-credential-scanner
- defi-env-auditor
- defi-threat-scanner
- deployment-key-auditor
- dev-env-bootstrapper
- eth-wallet-sentinel
- llm-context-compressor
- mnemonic-safety-check
- model-switch-router
- node-setup-helpers
- project-init-tools
- prompt-engineering-toolkit
- solidity-deploy-guard
- token-usage-tracker
- wallet-backup-verifier
- wallet-security-checker
- web3-secrets-detector
- workspace-config-loader
-
PyPI
- cryptowallet-safety
- data-pipeline-check
- defi-risk-scanner
- env-loader-cli
- eth-security-auditor
- git-config-sync
- solidity-build-guard
The campaign stands out for its varied infection methods, leveraging postinstall hooks, remote JavaScript payloads triggered during package imports, and malicious build.rs scripts aimed at Sui and Move developers. The packages disguise themselves as ordinary utilities, enabling attackers to cast a wide net.
The npm packages execute a JavaScript payload (“trap-core.js”) that searches for credentials and developer secrets, checks the validity of stolen credentials through AWS and GitHub API calls, and sets up persistence on the compromised machine using cron jobs, systemd services, Git hooks, and spreads across the network via SSH.
Similarly, the Rust crates scan for local keystores, encrypt the harvested data with a hardcoded XOR key, and send it to GitHub Gists. These packages are also notable for employing a build script (“build.rs”) to trigger the malicious code execution.
The Python packages tied to TrapDoor are crafted to run automatically upon import. Their main purpose is to fetch JavaScript from an attacker-controlled GitHub Pages domain (“ddjidd564.github[.]io”) and execute it using “node -e.”
“This approach lets the Python package hand off execution to a remote JavaScript payload, giving the attacker greater flexibility after the package is published,” Socket explained. “By hosting the payload externally, the attacker can modify its behavior without needing to release a new version on PyPI.”
A distinctive feature of the campaign is the insertion of .cursorrules and CLAUDE.md files containing concealed instructions meant to deceive AI assistants into performing a “security scan” that actually uncovers and exfiltrates secrets. This is accomplished by submitting GitHub pull requests (PRs) to well-known AI and developer projects, including “browser-use/browser-use,” “langchain-ai/langchain,” and “langflow-ai/langflow.”
The PR activity suggests that TrapDoor goes beyond simply publishing malicious packages in open-source ecosystems. Socket noted that the threat actor is likely probing whether AI-related project files can be slipped into standard open-source contribution workflows, causing AI coding tools to interpret those hidden instructions and act on them.
The findings highlight once more how threat actors are increasingly zeroing in on developer workflows, seeking to steal a broad spectrum of information that could enable them to dig deeper into target environments for subsequent attacks.
“TrapDoor illustrates how attackers are blending classic package typosquatting with newer developer-environment attack vectors,” Socket said. “The package names are carefully chosen to seem relevant to crypto development, AI tooling, local environment setup, and security workflows. The malware then exploits ecosystem-specific execution paths: build.rs in Rust, postinstall hooks in npm, and import-time execution in Python.”
