TrapDoor Supply Chain Attack Targets Developers with Credential-Stealing Malware
A sophisticated and coordinated software supply chain attack, dubbed TrapDoor, has been identified, targeting developers across multiple ecosystems, including npm, PyPI, and Crates.io. This campaign has successfully distributed credential-stealing malware through over 34 malicious packages spanning more than 384 versions. The initial activity was recorded on May 22, 2026, at 8:20 p.m. UTC, with subsequent waves of malicious packages being published in rapid succession from a cluster of accounts.
Targeted Communities and Malicious Intent
TrapDoor specifically aims at developers within the cryptocurrency, decentralized finance (DeFi), Solana, and artificial intelligence (AI) sectors. The malicious packages are engineered to exfiltrate sensitive information, including developer secrets, cryptocurrency wallets, SSH keys, cloud service credentials, browser data, and environment variables. Notably, several npm packages deploy a shared payload named trap-core.js, which performs the following actions:
– Scans for credentials and developer secrets.
– Validates stolen credentials using AWS and GitHub API calls.
– Attempts SSH-based lateral movement within networks.
– Establishes persistence through various methods, including:
– Modifying `.cursorrules` and `CLAUDE.md` files.
– Implementing Git hooks and shell hooks.
– Utilizing systemd services and cron jobs.
Scope of Malicious Packages
The identified malicious packages are distributed across three major ecosystems:
– Crates.io:
– move-analyzer-build
– move-compiler-tools
– move-project-builder
– sui-framework-helpers
– sui-move-build-helper
– sui-sdk-build-utils
– npm:
– async-pipeline-builder
– build-scripts-utils
– chain-key-validator
– crypto-credential-scanner
– defi-env-auditor
– defi-threat-scanner
– deployment-key-auditor
– dev-env-bootstrapper
– eth-wallet-sentinel
– llm-context-compressor
– mnemonic-safety-check
– model-switch-router
– node-setup-helpers
– project-init-tools
– prompt-engineering-toolkit
– solidity-deploy-guard
– token-usage-tracker
– wallet-backup-verifier
– wallet-security-checker
– web3-secrets-detector
– workspace-config-loader
– PyPI:
– cryptowallet-safety
– data-pipeline-check
– defi-risk-scanner
– env-loader-cli
– eth-security-auditor
– git-config-sync
– solidity-build-guard
Delivery Mechanisms and Execution Strategies
The TrapDoor campaign employs diverse delivery methods to infiltrate developer environments:
– Postinstall Hooks: Malicious code is executed automatically upon package installation.
– Remote JavaScript Payloads: Executed during package imports, allowing dynamic code execution.
– Malicious Build Scripts: Particularly targeting Sui and Move developers, these scripts execute harmful code during the build process.
The npm packages, for instance, execute the trap-core.js payload, which:
– Scans for and validates credentials.
– Establishes persistence through various system modifications.
– Attempts lateral movement via SSH.
Similarly, the Rust crates search for local keystores, encrypt the data using a hardcoded XOR key, and exfiltrate it to GitHub Gists. The malicious code execution is triggered through a build script (build.rs).
The Python packages are designed to auto-execute upon import, downloading JavaScript from an attacker-controlled GitHub Pages domain and running it using node -e. This technique allows the attacker to update behavior without publishing a new PyPI release.
Exploitation of AI Assistants
An unusual aspect of the TrapDoor campaign is the implantation of `.cursorrules` and `CLAUDE.md` files containing hidden instructions designed to deceive artificial intelligence (AI) assistants into executing a security scan. This scan results in the discovery and exfiltration of secrets. The attackers achieve this by opening GitHub pull requests across popular AI and developer projects, including:
– browser-use/browser-use
– langchain-ai/langchain
– langflow-ai/langflow
This activity indicates that TrapDoor extends beyond merely pushing malicious packages to open-source ecosystems. The threat actors are likely testing whether AI-related
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
