Post Now

TRAPDOOR SUPPLY CHAIN ATTACK Hits npm, PyPI, and Crates.io With Credential-Stealing Malware Targeting AI and Crypto Developers

Image

TRAPDOOR SUPPLY CHAIN ATTACK Hits npm, PyPI, and Crates.io With Credential-Stealing Malware Targeting AI and Crypto Developers

Cross-Ecosystem Malware Campaign Uses Malicious Open-Source Packages to Steal Cloud Credentials, Crypto Wallets, SSH Keys, and Developer Secrets

25 May 2026
CRITICAL — Software Supply Chain Attack

01 // Executive Overview

Massive Multi-Ecosystem Supply Chain Attack Targets Developers Across AI, Crypto, and Web3 Communities

Security researchers have uncovered a highly coordinated software supply chain attack campaign known as TrapDoor, which targets developers through malicious packages published across npm, PyPI, and Crates.io.

The campaign distributes credential-stealing malware capable of harvesting developer secrets, crypto wallets, SSH keys, browser data, cloud credentials, environment variables, and authentication tokens. Researchers confirmed that the operation spans more than 34 malicious packages distributed across over 384 package versions.

According to researchers from Socket, the campaign specifically targets developers working in:

  • Cryptocurrency ecosystems
  • DeFi platforms
  • Solana development
  • AI tooling projects
  • Developer automation workflows

The earliest observed activity reportedly began on May 22, 2026, with attackers rapidly publishing waves of malicious packages using clusters of coordinated accounts.

Unlike traditional software supply chain attacks that focus on a single ecosystem, TrapDoor operates simultaneously across multiple programming language environments, significantly increasing exposure for modern development pipelines.

Critical Warning: The malware actively attempts credential theft, persistence establishment, SSH-based lateral movement, and manipulation of AI coding assistant workflows through hidden instructions embedded inside project files.

02 // Technical Overview of the TrapDoor Campaign

Attackers Weaponize Open-Source Package Ecosystems to Compromise Developer Environments

Researchers discovered that TrapDoor abuses trusted open-source package repositories by publishing malicious packages disguised as legitimate developer tools.

Malicious Package Targets Included

npm Packages

Attackers uploaded numerous malicious packages to npm, including:

  • async-pipeline-builder
  • crypto-credential-scanner
  • defi-env-auditor
  • deployment-key-auditor
  • llm-context-compressor
  • model-switch-router
  • solidity-deploy-guard
  • wallet-security-checker
  • web3-secrets-detector

PyPI Packages

Malicious packages published to PyPI included:

  • cryptowallet-safety
  • defi-risk-scanner
  • eth-security-auditor
  • git-config-sync
  • solidity-build-guard

Crates.io Rust Packages

Malicious Rust crates uploaded to Crates.io included:

  • move-analyzer-build
  • sui-framework-helpers
  • sui-sdk-build-utils
  • move-project-builder

Researchers noted that the package names were intentionally crafted to appear relevant to AI development, blockchain engineering, local environment tooling, and security auditing workflows.

03 // Malware Functionality & Attack Capabilities

TrapDoor Malware Performs Credential Theft, Persistence, and Lateral Movement Operations

The campaign deploys a shared JavaScript payload known as trap-core.js, which performs extensive reconnaissance and credential theft operations inside compromised developer environments.

Primary Malware Capabilities

The malware is designed to:

  • Steal cloud credentials
  • Extract crypto wallets and seeds
  • Harvest SSH keys
  • Collect browser data
  • Exfiltrate environment variables
  • Validate stolen AWS tokens
  • Validate stolen GitHub tokens
  • Perform SSH-based lateral movement
  • Deploy persistence mechanisms
  • Manipulate developer tooling environments

Persistence Techniques Observed

Researchers observed the malware deploying persistence through:

  • Git hooks
  • Shell hooks
  • systemd services
  • cron jobs
  • .cursorrules files
  • CLAUDE.md instruction files

The malware also attempts to spread laterally by abusing trusted SSH relationships inside development infrastructure.

04 // Ecosystem-Specific Execution Methods

Attackers Tailor Malware Delivery to Each Programming Ecosystem

One of the most dangerous aspects of TrapDoor is its ability to adapt execution methods depending on the targeted development ecosystem.

npm Infection Method

Malicious npm packages rely heavily on:

  • postinstall hooks
  • Remote payload execution
  • JavaScript loader scripts
  • Dynamic code fetching

These packages automatically execute malicious logic during installation or package initialization.

PyPI Infection Method

The PyPI packages trigger malicious code automatically during import operations. Researchers observed the packages downloading remote JavaScript payloads from attacker-controlled GitHub Pages infrastructure and executing them through node -e.

This approach gives attackers flexibility to modify payload behavior dynamically without publishing updated package versions.

Rust Crates Infection Method

The malicious Rust crates leverage build.rs scripts to execute malware during the build process itself. Researchers observed these packages:

  • Searching for local keystores
  • Encrypting stolen data using XOR keys
  • Exfiltrating data to GitHub Gists

05 // AI Workflow Manipulation & Hidden Prompt Injection

Attackers Attempt to Exploit AI Coding Assistants Through Hidden Project Instructions

Perhaps the most alarming aspect of TrapDoor involves its attempts to manipulate AI-assisted developer workflows directly.

Researchers discovered that attackers implanted hidden .cursorrules and CLAUDE.md files containing deceptive instructions designed to trick AI coding assistants into performing “security scans” that secretly exfiltrate credentials and sensitive information.

Attackers reportedly submitted pull requests targeting popular AI and developer projects such as:

  • LangChain
  • Langflow
  • browser-use/browser-use

This tactic demonstrates a rapidly evolving threat landscape where attackers increasingly target AI-assisted development environments rather than only human developers directly.

Furthermore, the campaign suggests attackers may actively test whether AI coding tools can unknowingly process malicious embedded instructions and carry out unauthorized actions automatically.

06 // Recommended Security Actions

Immediate Mitigation Steps for Development Teams and Organizations

01 — Audit Installed Packages Immediately

Review all recently installed packages across:

  • npm environments
  • Python environments
  • Rust environments

Specifically inspect for the malicious package names identified by researchers.

02 — Rotate Credentials

Immediately rotate:

  • AWS credentials
  • GitHub tokens
  • SSH keys
  • API tokens
  • Cloud authentication secrets
  • Crypto wallet credentials

03 — Inspect Persistence Mechanisms

Investigate systems for:

  • Unauthorized cron jobs
  • systemd services
  • Modified Git hooks
  • Shell startup modifications
  • Unknown .cursorrules files
  • Suspicious CLAUDE.md instructions

04 — Strengthen Package Security Controls

Implement:

  • Package allowlisting
  • Dependency verification
  • Signed package validation
  • Dependency scanning
  • Software bill of materials (SBOM) reviews

05 — Monitor Developer Infrastructure Aggressively

Security teams should monitor for:

  • Credential misuse
  • Suspicious GitHub activity
  • Abnormal package installation behavior
  • Unexpected outbound traffic
  • Unauthorized SSH access attempts

06 — Harden AI-Assisted Development Workflows

Organizations using AI coding assistants should validate hidden project instruction files and review how AI tooling processes repository metadata and contextual prompts.

07 // Strategic Security Perspective

Modern Supply Chain Attacks Now Target Developers, AI Tools, and Open-Source Ecosystems Simultaneously

TrapDoor highlights how modern threat actors increasingly view software developers as high-value targets capable of providing direct access into enterprise infrastructure, cloud environments, cryptocurrency ecosystems, and production platforms.

Unlike earlier supply chain attacks focused primarily on typosquatting or dependency confusion, TrapDoor combines:

  • Multi-ecosystem malware delivery
  • Credential theft
  • Persistence operations
  • SSH lateral movement
  • AI workflow manipulation
  • Developer environment compromise

The campaign also demonstrates how AI-assisted development tooling introduces entirely new attack surfaces. Hidden prompt instructions embedded inside repositories may eventually become a major threat vector for organizations relying heavily on AI-powered coding assistants.

Additionally, attackers continue evolving beyond traditional malware delivery by embedding malicious behavior directly into development pipelines and automation systems trusted by engineers daily.

Organizations should therefore treat developer environments as critical infrastructure and implement:

  • Zero-trust development security
  • Continuous dependency monitoring
  • Secure software supply chain validation
  • AI workflow auditing
  • Credential segmentation
  • Strong runtime monitoring
  • Rapid incident response procedures

Ultimately, securing the software supply chain now requires defending not only code repositories and dependencies, but also the developers, AI assistants, and automation systems interacting with them continuously.

Ashif