A coordinated supply chain campaign tracked by Socket as "TrapDoor" has compromised at least 34 open-source packages across npm, PyPI, and Crates.io, with researchers identifying more than 384 malicious versions distributed since May 22, 2026. The crypto-focused credential stealer is engineered to infiltrate developer environments and exfiltrate sensitive secrets at scale.
What Happened
The campaign kicked off on May 22, 2026 with a malicious PyPI package named eth-security-auditor, followed by successive waves of poisoned packages uploaded under multiple maintainer accounts. Socket researchers attribute the activity to a single coordinated actor based on shared payload code, naming patterns, and infrastructure overlaps across the three ecosystems.
The packages masquerade as legitimate developer utilities targeting blockchain, DeFi, AI workflow, and security auditing use cases. Names such as wallet-security-checker were chosen to maximize adoption among developers in high-value verticals where credential theft yields immediate monetization opportunities.
What Was Taken
TrapDoor harvests a broad range of high-value developer secrets from any system that installs an affected package:
- SSH keys and local developer credentials
- AWS access keys and GitHub tokens
- Crypto wallet data for Solana, Sui, and Aptos chains
- Browser-stored login data and active session tokens
- Environment variables and arbitrary API keys
The shared payload, distributed as trap-core.js in the npm variants, validates stolen credentials before exfiltration and establishes persistence to enable continued collection. The total victim count has not been disclosed, but with 384 malicious versions in public registries, exposure is likely significant.
Why It Matters
Supply chain attacks that span three major package ecosystems simultaneously are rare and represent a material escalation in cross-platform targeting. A single developer machine compromise can cascade into cloud account takeover, source code theft, and downstream poisoning of the victim's own published packages, multiplying blast radius far beyond the initial install.
The campaign's targeting of crypto, DeFi, and AI developers is deliberate. These populations hold disproportionately valuable secrets: wallet keys with direct financial value, cloud tokens with access to production AI infrastructure, and elevated GitHub credentials capable of compromising organizational repositories.
The Attack Technique
TrapDoor uses ecosystem-native execution primitives to trigger payloads during routine development workflows:
- npm packages execute via post-install scripts
- PyPI packages execute embedded JavaScript at import time
- Crates.io packages abuse Rust's build.rs to run code at compile time
Persistence is layered across Git hooks, shell configuration files, cron jobs, and systemd services to survive reboots and ordinary cleanup. Once resident, the malware attempts lateral movement using stolen SSH credentials, posing significant risk to internal infrastructure.
A particularly novel element is the abuse of AI coding assistants. The malware injects hidden instructions into files such as .cursorrules and CLAUDE.md, attempting to manipulate AI assistants into performing follow-on malicious actions or leaking context during normal developer interactions.
What Organizations Should Do
- Audit recent npm, PyPI, and Crates.io installs against Socket's published TrapDoor indicators and quarantine any matching package versions immediately.
- Rotate all developer secrets exposed to potentially compromised machines: SSH keys, AWS keys, GitHub tokens, crypto wallet seeds, and browser session cookies.
- Disable post-install scripts where possible (npm install --ignore-scripts) and enforce dependency pinning with lockfile review for all builds.
- Scan repositories for unexpected modifications to .cursorrules, CLAUDE.md, Git hooks, shell rc files, cron entries, and systemd unit files.
- Block outbound traffic from build and developer environments to known TrapDoor C2 infrastructure and alert on anomalous egress from CI runners.
- Require code review for new third-party dependencies, particularly packages less than 30 days old or with low maintainer reputation in crypto, AI, and security tooling categories.
Sources: Hackers Compromise 34 npm, PyPI, and Crates Packages in Major Supply Chain Attack