TrapDoor Campaign Deploys Credential-Stealing Malware Across npm, PyPI, and Crates.io

A coordinated supply chain attack campaign dubbed TrapDoor has deployed credential-stealing malware across npm, PyPI, and Crates.io repositories. Socket's security research team identified 34 malicious packages spanning 384 versions, with the earliest activity recorded on May 22, 2026, at 8:20 p.m. UTC. The campaign specifically targets developers working in cryptocurrency, DeFi, Solana, and AI communities through packages masquerading as legitimate development tools.

The attack represents a significant escalation in supply chain sophistication, utilizing ecosystem-specific execution paths and novel persistence mechanisms. Malicious packages were published in coordinated waves from clustered accounts, suggesting organized threat actor infrastructure rather than opportunistic attacks.

Attack Vector and Distribution

TrapDoor employs diverse delivery mechanisms tailored to each package ecosystem. The npm packages use postinstall hooks to execute malicious code automatically during installation. Python packages trigger on import, downloading and executing remote JavaScript payloads from attacker-controlled GitHub Pages domains. Rust crates leverage malicious build.rs scripts that execute during compilation, specifically targeting Sui and Move blockchain developers.

Package names were carefully crafted to appear legitimate and relevant to target developer workflows. Examples include async-pipeline-builder, defi-threat-scanner, wallet-security-checker, and llm-context-compressor. This naming strategy exploits developer trust in security and utility tooling, making packages more likely to be installed without thorough vetting.

Technical Analysis of Malicious Payloads

The npm packages deploy a shared payload called trap-core.js that performs comprehensive credential scanning and establishes extensive persistence mechanisms. The malware scans for credentials and developer secrets across the filesystem, validates stolen credentials using AWS and GitHub API calls to identify active tokens, and attempts SSH-based lateral movement to compromise additional systems in the development environment.

Persistence is established through multiple redundant mechanisms including .cursorrules files, CLAUDE.md instructions, Git hooks, shell configuration hooks, systemd services, cron jobs, and SSH configuration modifications. This multi-layered approach ensures the malware survives system reboots, package updates, and basic remediation attempts.

The Rust crates search for local keystores and encrypt discovered data using a hardcoded XOR key before exfiltrating to GitHub Gists. Python packages delegate execution to remote JavaScript payloads hosted on GitHub Pages, allowing attackers to update malicious behavior without publishing new package versions to PyPI.

Novel AI Assistant Poisoning Technique

TrapDoor introduces an innovative attack vector targeting AI coding assistants. The campaign implants .cursorrules and CLAUDE.md files containing hidden instructions designed to trick AI assistants into executing a 'security scan' that actually performs secret discovery and exfiltration. These files were introduced through GitHub pull requests to popular AI and developer projects including browser-use/browser-use, langchain-ai/langchain, and langflow-ai/langflow.

This technique represents testing of whether AI-related project files can be introduced through standard open-source contribution workflows. If successful, AI coding tools would parse the hidden instructions and apply them automatically when assisting developers, creating an entirely new attack surface that bypasses traditional security controls.

Affected Package Ecosystems

The campaign distributed packages across three major ecosystems with ecosystem-specific techniques:

• Crates.io (Rust): move-analyzer-build, move-compiler-tools, sui-framework-helpers, sui-move-build-helper, and sui-sdk-build-utils targeting blockchain developers
• npm (Node.js): async-pipeline-builder, crypto-credential-scanner, defi-threat-scanner, eth-wallet-sentinel, llm-context-compressor, wallet-security-checker, and 14 additional packages
• PyPI (Python): cryptowallet-safety, defi-risk-scanner, env-loader-cli, eth-security-auditor, git-config-sync, and solidity-build-guard

Lateral Movement and Persistence Mechanisms

Beyond initial compromise, TrapDoor attempts lateral movement through SSH-based network propagation. The malware scans for SSH keys and known_hosts files to identify additional targets within the development environment. This capability transforms a single developer compromise into a potential network-wide breach affecting CI/CD pipelines, staging environments, and production infrastructure.

The persistence mechanisms specifically target developer workflows rather than traditional system locations. Git hooks ensure the malware executes during common development operations like commits and pushes. Shell hooks trigger during terminal sessions. The inclusion of systemd services and cron jobs provides persistence even on servers where development tools may not be actively used.

Mitigation and Detection Recommendations

Organizations should immediately audit installed packages against the identified malicious package list. Implement package hash verification and use lock files to prevent automatic updates. Deploy tools like Socket or Snyk to scan dependencies for malicious behavior patterns before installation.

Monitor for the following indicators of compromise: unexpected outbound connections to GitHub Pages domains, presence of .cursorrules or CLAUDE.md files with encoded instructions, modifications to Git hooks or shell configuration files, new systemd services or cron jobs created by non-administrative users, and API calls to AWS or GitHub from build processes. Credential rotation should be immediate priority for any environment where identified packages were installed.

Review GitHub pull requests for unexpected configuration files targeting AI assistants. Restrict execution permissions during package installation and build processes. Implement network segmentation to limit potential lateral movement from developer workstations. The external payload hosting technique means compromised systems may continue exhibiting malicious behavior even after package removal, requiring comprehensive system audits.

Strategic Implications

TrapDoor demonstrates the continuing evolution of supply chain attacks toward developer-specific targeting. The combination of traditional typosquatting with AI assistant poisoning and external payload hosting represents a maturation of attack techniques. The focus on cryptocurrency and AI developers reflects threat actor awareness of high-value targets within these emerging technology sectors.

The coordinated multi-ecosystem approach indicates sophisticated threat actor capabilities and planning. Publishing packages simultaneously across npm, PyPI, and Crates.io requires understanding of different packaging systems, programming languages, and execution contexts. This level of coordination suggests organized cybercrime or nation-state involvement rather than individual attackers.

The AI assistant poisoning technique, while still in testing phase according to Socket's analysis, represents a concerning new attack surface. As AI coding assistants become standard development tools, the ability to inject malicious instructions through seemingly benign project files could bypass all traditional security controls. Organizations should evaluate AI assistant security policies and consider sandboxing or restricting their capabilities in sensitive environments.