A new coordinated cross-ecosystem software supply chain attack campaign has targeted npm, PyPI, and Crates.io to distribute credential-stealing malware.
The campaign, codenamed TrapDoor, spans more than 34 malicious packages across over 384 versions. The earliest activity was recorded on May 22, 2026, at 8:20 p.m. UTC, with new packages published to the ecosystems in waves from a cluster of accounts in quick succession.
“TrapDoor targets developers in crypto, DeFi, Solana, and AI communities,” Socket said. “The malicious packages are designed to steal developer secrets, crypto wallets, SSH keys, cloud credentials, browser data, and environment variables.”
“Several npm packages also deploy a shared payload, trap-core.js, that scans for credentials, validates AWS and GitHub tokens, attempts SSH-based lateral movement, and plants persistence through .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH.”
It’s worth noting that the activity has no connection to another campaign of the same name that HUMAN’s Satori Threat Intelligence and Research Team detailed last week as engaging in ad fraud by distributing 455 Android apps through the Google Play Store.
The list of identified packages is below –
-
Crates.io
- move-analyzer-build
- move-compiler-tools
- move-project-builder
- sui-framework-helpers
- sui-move-build-helper
- sui-sdk-build-utils
-
npm
- async-pipeline-builder
- build-scripts-utils
- chain-key-validator
- crypto-credential-scanner
- defi-env-auditor
- defi-threat-scanner
- deployment-key-auditor
- dev-env-bootstrapper
- eth-wallet-sentinel
- llm-context-compressor
- mnemonic-safety-check
- model-switch-router
- node-setup-helpers
- project-init-tools
- prompt-engineering-toolkit
- solidity-deploy-guard
- token-usage-tracker
- wallet-backup-verifier
- wallet-security-checker
- web3-secrets-detector
- workspace-config-loader
-
PyPI
- cryptowallet-safety
- data-pipeline-check
- defi-risk-scanner
- env-loader-cli
- eth-security-auditor
- git-config-sync
- solidity-build-guard
The operation is notable for its diverse delivery paths, using postinstall hooks, remote JavaScript payloads that are executed during package imports, and malicious build.rs scripts to target Sui and Move developers. The packages masquerade as seemingly harmless tools, giving attackers the ability to reach a broad audience.
The npm packages have been found to run a JavaScript payload (“trap-core.js”), which scans for credentials and developer secrets, validates stolen credentials using AWS and GitHub API calls, and creates persistence on the host using cron jobs, systemd services, Git hooks, and moves across the network via SSH.
The Rust crates, in a similar fashion, search for local keystores, encrypt the data using a hardcoded XOR key, and…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
