TrapDoor Supply Chain Attack Distributes Authentication Theft Malware via npm, PyPI, and CratesIO

A new coordinated cross-ecosystem software attack campaign is targeting npm, PyPI, and Crates.io for the distribution of identity theft malware.

The campaign, is codenamed The TrapDoorincludes more than 34 malicious packages in more than 384 versions. The previous activity was recorded on May 22, 2026, at 8:20 pm UTC, with new packages published in the ecosystem in waves from a set of accounts in quick succession.

“TrapDoor targets developers in the crypto, DeFi, Solana, and AI communities,” Socket said. “Malicious packages designed to steal developer secrets, crypto wallets, SSH keys, cloud credentials, browser data, and environment variables.”

“Several npm packages also release a shared payload, trap-core.js, which scans for credentials, validates AWS and GitHub tokens, attempts remote SSH-based traffic, and plant persistence using .cursorrules, CLAUDE.md, Git hook, shell hook, systemd, SSH, cron, and SSH.”

It is worth noting that the operation is not connected to another campaign of the same name that HUMAN’s Satori Threat Intelligence and Research Team described last week as engaging in ad fraud by distributing 455 Android applications through the Google Play Store.

The list of mentioned packages is below –

• Crates.io

  • move-analyzer-build
  • move-compiler-tools
  • submit-builder project
  • sui-framework-helpers
  • sui-move-build-helper
  • sui-sdk-build-utils

• npm

  • pipeline-async constructor
  • build-scripts-utils
  • chain-key-validator
  • crypto-credential-scanner
  • defi-env-auditor
  • defi-threat-scanner
  • deployment-key-auditor
  • dev-env-bootstrapper
  • eth-wallet-sentinel
  • llm-context-compressor
  • security check-mnemonic
  • model-switch-router
  • node-setup helpers
  • project-init-tools
  • prompt-engineering-toolkit
  • solidity-deploy-guard
  • token-usage-tracker
  • wallet-backup-verifier
  • wallet-security-checker
  • web3-secrets-detector
  • workspace-config-loader

• PyPI

  • cryptowallet security
  • data-pipeline-check
  • defi-risk-scanner
  • env-loader-cli
  • eth-security-auditor
  • git-config-sync
  • fitness-build-guard

This project is notable for its different delivery methods, using post hooks, remote JavaScript loading performed during package import, and malicious build.rs scripts to target Sui and Move developers. Packages masquerade as seemingly innocuous tools, giving attackers the ability to reach a wider audience.

The npm packages were found to use a JavaScript payload (“trap-core.js”), which scans developer credentials and secrets, validates stolen credentials using AWS and GitHub API calls, and creates persistence on the host using cron jobs, system services, Git hooks, and travels across the network via SSH.

Rust crates, similarly, search local keystores, encrypt the data using a hard-coded XOR key, and export it to GitHub Gists. The packages are also notable for the use of a build script (“build.rs”) to trigger the execution of malicious code.

The Python packages associated with TrapDoor are designed to run automatically on import. The main goal of the packages is to download JavaScript from an attacker-controlled GitHub Pages domain (“ddjidd564.github[.]io”), then run it using “node -e.”

“This technique allows a Python package to delegate execution to a remote JavaScript loader, giving an attacker flexibility after publication,” Socket explained. “By hosting the payload externally, an attacker can update behavior without publishing a new version of PyPI.”

An unusual feature of the campaign is the inclusion of .cursorrules and CLAUDE.md which contain hidden instructions to trick artificial intelligence (AI) assistants into performing “security scans” that lead to secret detection and removal. This is accomplished by opening GitHub pull requests (PRs) for all AI and developer projects, including “browser implementation/browser implementation,” “langchain-ai/langchain,” and “langflow-ai/langflow.”

The PR work shows that TrapDoor is expanding beyond pushing malicious packages into open source ecosystems. Socket said that a threat actor might check whether AI-related project files can be presented in the workflow of an open-source offering, thereby causing AI coding tools to decode those hidden instructions and use them.

The findings also show that threat actors are increasingly targeting developer workflows, aiming to steal a wide range of information that would make it possible to dive into target environments for subsequent attacks.

“TrapDoor shows how attackers combine a typosquatting package with new natural attack techniques,” Socket said. “The package names are crafted to appear compatible with crypto development, AI tools, locale setup, and security workflows. The malware then uses ecosystem-specific execution methods: build.rs in Rust, postinstall hooks in npm, and using import-time in Python.”