Skip to main content
Emerging ThreatsSupply Chain Attacks

TrapDoor Attack Spreads Credential-Stealing Malware Across Software Ecosystems

Developer workstation with laptop and monitor displaying code, surrounded by notes and empty coffee cups, in a modern…

May 22, 2026 at 20:20 UTC — that is the first recorded pulse of a coordinated supply‑chain campaign that has since propagated malicious packages across three major language ecosystems, according to Socket’s analysis.

Scope and timeline of the TrapDoor campaign

Socket describes the operation, codenamed TrapDoor, as a cross‑ecosystem supply chain attack spanning more than 34 malicious packages and over 384 versions. The activity began on May 22, 2026, and continued in waves, with new packages published from a cluster of accounts in quick succession to npm, PyPI, and Crates.io.

The actor deliberately tailored package names to appear relevant to cryptocurrency, DeFi, Solana, and AI development, a tactic Socket summarized succinctly: "TrapDoor targets developers in crypto, DeFi, Solana, and AI communities."

Delivery and execution techniques used against developers

The campaign uses multiple, ecosystem‑specific execution paths. On npm, postinstall hooks and remote JavaScript payloads are used; in Rust crates the actor leverages malicious build.rs scripts; and Python packages are designed to execute automatically upon import.

In the Python case, the packages are written to download JavaScript from an attacker‑controlled GitHub Pages domain (ddjidd564.github[.]io) and execute it with "node -e". Socket noted: "This technique allows the Python package to delegate execution to a remote JavaScript payload, giving the attacker more flexibility after publication." Hosting the payload externally lets the attacker change behavior without republishing a PyPI release.

Malicious capabilities: credential theft, validation, persistence, lateral movement

Socket's analysis ties a shared npm payload, trap-core.js, to many of the packages. That payload scans for developer secrets and browser data, validates stolen credentials using AWS and GitHub API calls, and attempts SSH‑based lateral movement. Persistence mechanisms observed include .cursorrules and CLAUDE.md files, Git hooks, shell hooks, systemd services, cron jobs, and manipulation of SSH configuration.

Rust crates behave differently but with comparable intent: they search for local keystores, encrypt the data using a hardcoded XOR key, and exfiltrate it to GitHub Gists. The npm and Python vectors—one executing trap-core.js, the other delegating to remote JavaScript—give the actor multiple routes to obtain and validate credentials and then anchor themselves on compromised hosts.

Identified packages on Crates.io, npm, and PyPI

  • Crates.io: move-analyzer-build; move-compiler-tools; move-project-builder; sui-framework-helpers; sui-move-build-helper; sui-sdk-build-utils
  • npm: async-pipeline-builder; build-scripts-utils; chain-key-validator; crypto-credential-scanner; defi-env-auditor; defi-threat-scanner; deployment-key-auditor; dev-env-bootstrapper; eth-wallet-sentinel; llm-context-compressor; mnemonic-safety-check; model-switch-router; node-setup-helpers; project-init-tools; prompt-engineering-toolkit; solidity-deploy-guard; token-usage-tracker; wallet-backup-verifier; wallet-security-checker; web3-secrets-detector; workspace-config-loader
  • PyPI: cryptowallet-safety; data-pipeline-check; defi-risk-scanner; env-loader-cli; eth-security-auditor; git-config-sync; solidity-build-guard

Targeting AI projects and open‑source contribution workflows

TrapDoor’s operators did not confine themselves to package registries. Socket observed pull requests opened across AI and developer projects that included .cursorrules and CLAUDE.md files containing hidden instructions meant to coax AI assistants into performing a "security scan" that could result in secret discovery and exfiltration. The PRs targeted repositories including browser-use/browser-use, langchain-ai/langchain, and langflow-ai/langflow.

Socket interprets this activity as part of an experiment: the actor is likely testing whether AI‑related project files can be introduced through normal open‑source contribution workflows and thereby cause AI coding tools to parse and act on those hidden instructions.

What this means for crypto/DeFi developers, open‑source maintainers, and DevOps teams

  • Crypto and DeFi developers: packages named to match your toolchains were targeted explicitly; inspect dependencies and remove or block the listed names and versions to mitigate immediate risk.
  • Open‑source maintainers (AI projects): review incoming PRs for nonstandard files like .cursorrules and CLAUDE.md, and treat unexpected automation instructions as high risk given the campaign’s testing of AI assistant parsing.
  • DevOps and cloud teams: monitor AWS and GitHub token use and any unexpected validation calls, and audit hosts for persistence mechanisms cited in Socket’s report—Git hooks, systemd units, cron jobs, and anomalous SSH activity—as well as unusual exfiltration to GitHub Gists and access to ddjidd564.github[.]io.

Socket emphasized the broader pattern: "TrapDoor shows how attackers are combining traditional package typosquatting with newer developer-environment attack paths." The campaign’s multi‑pronged approach—registry publishing, import‑time delegation to remote code, malicious build scripts, and attempts to manipulate AI assistants—demonstrates an adversary experimenting across every step of a developer workflow. Notably, Socket also pointed out that this activity has no connection to another campaign of the same name that HUMAN's Satori Threat Intelligence and Research Team described last week as distributing 455 Android apps for ad fraud.

The technical record in Socket’s findings describes both the immediate hygiene failures targeted—seemingly innocuous package names and routine PRs—and the more modern vector of weaponizing AI tooling and CI/automation behavior for secret discovery. That combination, the report shows, widens the attacker’s foothold long after a single package is installed.

Original story