TrapDoor Campaign Deploys 34 Malicious Packages Across npm, PyPI, and Crates.io to Steal Cloud Keys and Wallets
A sophisticated campaign dubbed TrapDoor has compromised npm, PyPI, and Crates.io with 34 malicious packages designed to steal cloud credentials, SSH keys, and cryptocurrency wallets, employing stealthy exfiltration techniques.
A widespread campaign named TrapDoor has been uncovered, involving 34 malicious packages distributed across the npm, PyPI, and Crates.io open-source ecosystems. Security researchers from Socket.dev first disclosed the operation on May 24, 2026, revealing that these poisoned packages, with a total of 384 published versions, were designed to target developers in critical sectors such as cryptocurrency, DeFi, Solana, AI, and security research. The attack's insidious nature lies in its automation; simply installing or compiling a package was sufficient to trigger the malicious code, requiring no further user interaction and seamlessly integrating into standard developer workflows.
The attackers leveraged the inherent mechanisms of each ecosystem to execute their malicious logic. In PyPI, the code would activate the moment a package was imported. For Crates.io, the malware ran during the compilation phase. In the npm ecosystem, the malicious code executed silently immediately after installation, bypassing typical security alerts. Analysts at SlowMist, utilizing their MistEye threat intelligence system, confirmed the cross-ecosystem malicious activity and provided a detailed technical analysis. They identified a core strategy of developing the attack once and adapting it for each platform, as evidenced by samples like git-config-sync (PyPI), token-usage-tracker (npm), and sui-framework-helpers (Crates.io).
The scope of stolen data is extensive, encompassing sensitive information such as AWS keys, GitHub tokens, OpenAI API keys, SSH private keys, blockchain wallet files, browser login databases, and environment variables containing passwords and secrets. The npm package, token-usage-tracker, was particularly aggressive, attempting to crack weak passwords on Ethereum keystore files and execute remote commands on compromised systems. This broad data collection capability could grant attackers access to both individual developer accounts and any cloud infrastructure they manage.
A key element of the TrapDoor campaign's stealth is its exfiltration infrastructure. Instead of relying on suspicious, unknown domains, the attackers routed stolen data through legitimate and trusted services like GitHub Pages, GitHub Gist, and webhook.site. This tactic allowed the exfiltrated credentials to blend seamlessly with normal network traffic, significantly hindering detection by enterprise security tools.
The TrapDoor campaign consistently followed a three-stage pattern: trigger, collect, and exfiltrate. Each malicious package was carefully disguised as a legitimate developer tool. For instance, the Python package git-config-sync would initiate a malicious thread within seconds of being loaded, employing random delays to evade detection. It systematically scanned common directories like .ssh, .aws, and .ethereum, using six pattern-matching groups specifically designed to capture private keys, mnemonic phrases, API tokens, and passwords.
The Rust package, sui-framework-helpers, activated during the compilation process, targeting wallet files for the Sui, Aptos, and Solana blockchains. It then encoded the stolen data using a XOR cipher before uploading it to a public GitHub Gist. The npm package, token-usage-tracker, demonstrated the most advanced capabilities, forking a hidden background process post-installation. This process then swept through a wide array of file paths, collecting browser credentials, cloud keys, and wallet data.
What notably distinguished the npm sample, token-usage-tracker, was its sophisticated propagation module, which extended beyond mere credential theft. This module actively rewrote .cursorrules and CLAUDE.md files within the victim's project directories. The intent was to inject instructions that would manipulate AI coding tools, such as Cursor and Claude Code, into executing malicious actions during future user sessions. This was achieved by embedding invisible zero-width characters within these files, which carried encoded payloads that AI models could still interpret and execute.
Developers who suspect their systems may be compromised are advised to remove the affected packages, rotate all potentially compromised credentials, and meticulously clean their .cursorrules, CLAUDE.md files, Git hooks, and shell configuration files (.bashrc, .zshrc) for any references to specific indicators like P-2024-001, ddjidd564, or dev-env-bootstrapper. Security teams should also prioritize adding TrapDoor-related indicators of compromise to their CI/CD detection rules to prevent further spread.