TrapDoor Supply Chain Campaign Compromises 34 Packages Across npm, PyPI, and Crates.io
A sophisticated supply chain campaign dubbed TrapDoor has compromised 34 packages across npm, PyPI, and Crates.io, targeting crypto, DeFi, Solana, and AI developers with credential-stealing malware.
A new supply chain campaign named TrapDoor has compromised 34 packages across npm, PyPI, and Crates.io, deploying over 384 malicious versions aimed at stealing credentials, cryptocurrency wallets, SSH keys, and cloud tokens from developers in the crypto, DeFi, Solana, and AI communities. The earliest observed component, the PyPI package eth-security-auditor@0.1.0, was published on May 22, 2026, before rapidly expanding into other registries with deceptive names like prompt-engineering-toolkit, solidity-deploy-guard, and defi-threat-scanner to feign legitimacy.
The campaign uses ecosystem-specific execution methods to maximize stealth. On npm, malicious postinstall hooks deploy a shared trap-core.js payload for persistent credential harvesting, using Fernet and ECDH encryption while validating stolen credentials via live API queries. On PyPI, packages auto-execute on import, downloading a remote JavaScript payload from GitHub Pages via node -e, allowing dynamic behavioral updates without new releases. On Crates.io, Rust build.rs scripts actively search for and target local Sui and Move developer keystores, employing XOR encryption with the hardcoded key cargo-build-helper-2026.
TrapDoor targets an extensive array of developer data, including Sui, Solana, and Aptos crypto wallets, SSH keys, browser profiles, and AWS environment variables. The 1,149-line shared npm payload, trap-core.js, establishes long-term persistence through systemd services, cron jobs, Git hooks, and shell hooks. Stolen SSH keys are repurposed for automated lateral movement, transforming compromised workstations into persistent gateways for broader corporate network breaches.
A defining characteristic of TrapDoor is its deliberate targeting of AI coding assistants via modified .cursorrules and CLAUDE.md project files. The threat actor uses zero-width Unicode characters to obscure malicious prompts, tricking AI tools like LangChain, MetaGPT, and OpenHands into performing hostile credential exfiltration under the guise of executing an automated project security scan. To scale this attack vector, the attacker used the GitHub account ddjidd564 to submit deceptive pull requests containing these poisoned configuration files to prominent open-source AI projects.
The attacker maintains a sophisticated command and control architecture on GitHub Pages, hosting active malicious configuration files alongside a detailed AUDIT-MATRIX.md framework design document. This operational playbook describes a "Universal AI Agent Extraction Framework" that relies on a disguise layer to map stealthy credential theft to seemingly benign developer automation workflows. To maximize the value of exfiltrated data, payloads actively validate stolen AWS and GitHub tokens via live API queries while using advanced cryptography across different ecosystems to evade standard network detection.
Socket detected the TrapDoor releases with a median detection time of 5 minutes and 27 seconds, effectively classifying the entire campaign as malicious before widespread adoption could occur. The campaign's cross-ecosystem reach and AI-targeting techniques represent a significant escalation in supply chain attack sophistication, highlighting the need for enhanced package registry monitoring and developer awareness of AI-assisted attack vectors.