Full Report
A new coordinated cross-ecosystem software supply chain attack campaign has targeted npm, PyPI, and Crates.io to distribute credential-stealing malware. The campaign, codenamed TrapDoor, spans more than 34 malicious packages across over 384 versions. The earliest activity was recorded on May 22, 2026, at 8:20 p.m. UTC, with new packages published to the ecosystems in waves from a cluster of
Analysis Summary
# Incident Report: TrapDoor Supply Chain Attack
## Executive Summary
The "TrapDoor" campaign is a sophisticated, cross-ecosystem supply chain attack targeting developers in the Crypto, DeFi, and AI sectors via npm, PyPI, and Crates.io. The attack distributes credential-stealing malware designed to exfiltrate cloud credentials, SSH keys, and crypto wallets while establishing persistence through unconventional methods like AI assistant configuration files. Rapid response by security researchers and package repositories has led to the identification of over 34 malicious packages and hundreds of versions.
## Incident Details
- **Discovery Date:** May 25, 2026
- **Incident Date:** Beginning May 22, 2026, at 8:20 p.m. UTC
- **Affected Organization:** Multiple (Open-source ecosystem users)
- **Sector:** Technology / Software Development (Specifically Crypto, DeFi, Solana, and AI)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 22, 2026
- **Vector:** Software Supply Chain / Typosquatting / Deceptive Packages
- **Details:** Malicious packages were published in waves to npm, PyPI, and Crates.io using a cluster of accounts. These packages masqueraded as harmless developer utilities (e.g., `eth-wallet-sentinel`, `sui-sdk-build-utils`).
### Lateral Movement
- **Details:** The `trap-core.js` payload attempts SSH-based lateral movement by scanning the host for existing SSH keys and known hosts to pivot to connected infrastructure.
### Data Exfiltration/Impact
- **Details:** The malware scans for and exfiltrates developer secrets, crypto wallets, AWS/GitHub tokens, and environment variables. Rust-based packages specifically target local keystores, encrypting them with XOR before exfiltrating data to GitHub Gists.
### Detection & Response
- **How it was discovered:** Detected by Socket security researchers monitoring ecosystem telemetry.
- **Response actions taken:** Identification and public disclosure of 34+ malicious packages; reporting to repository maintainers for removal.
## Attack Methodology
- **Initial Access:** Malicious package installation via npm `postinstall` hooks, Python auto-execution on import, and Rust `build.rs` scripts.
- **Persistence:** High diversity; uses `systemd` services, `cron` jobs, Git/Shell hooks, and malicious `.cursorrules` or `CLAUDE.md` files.
- **Privilege Escalation:** Not explicitly detailed, but achieves high-level access via stolen cloud and SSH credentials.
- **Defense Evasion:** Use of remote payloads (GitHub Pages) to update malicious logic without updating the package version; XOR encryption for exfiltrated data.
- **Credential Access:** Reaching into specific directories for `.aws/credentials`, `.ssh`, and browser-stored data.
- **Discovery:** Scans for environment variables and validates stolen tokens against AWS and GitHub APIs.
- **Lateral Movement:** SSH-based pivoting.
- **Collection:** Gathering crypto wallet files and developer secrets.
- **Exfiltration:** Data sent to GitHub Gists and attacker-controlled GitHub Pages domains.
- **Impact:** Compromise of development environments and potential downstream supply chain contamination via malicious Pull Requests to projects like LangChain.
## Impact Assessment
- **Financial:** High potential loss due to the theft of cryptocurrency wallets and private keys.
- **Data Breach:** Exposure of highly sensitive developer secrets, AWS tokens, and GitHub credentials.
- **Operational:** Potential for long-term persistence in CI/CD pipelines and developer workstations.
- **Reputational:** Degradation of trust in AI-related open-source projects via "Agentic" attacks on AI assistants.
## Indicators of Compromise
- **Network:**
- `ddjidd564.github[.]io` (Payload hosting)
- **File Indicators:**
- `trap-core.js`
- `.cursorrules` (containing hidden exfiltration instructions)
- `CLAUDE.md`
- **Behavioral Indicators:**
- Unauthorized `node -e` execution during Python package imports.
- Unexpected outbound connections to GitHub Gists from build scripts.
- Modification of `.git/hooks` or systemd units following a package install.
## Response Actions
- **Containment:** Removal of malicious packages from npm, PyPI, and Crates.io.
- **Eradication:** Deletion of persistence mechanisms (cron, systemd, git hooks) on infected local machines.
- **Recovery:** Revocation and rotation of all environment variables, AWS keys, and GitHub tokens.
## Lessons Learned
- **AI Tool Risk:** Attackers are now targeting the "human-AI" interface by poisoning the configuration files (`.cursorrules`) used by AI coding assistants.
- **Cross-Platform Coordination:** Threat actors are increasingly launching simultaneous attacks across multiple languages (JS, Python, Rust) to catch developers using polyglot stacks.
- **Remote Payloads:** Relying on static analysis of package contents is insufficient when packages download dynamic code from external domains during execution.
## Recommendations
- **Strict Package Auditing:** Use tools to block packages that employ `postinstall` or `build.rs` scripts unless explicitly whitelisted.
- **AI Safety:** Review project-level AI instruction files (`.cursorrules`, `CLAUDE.md`) before allowing AI assistants to process them.
- **Secret Management:** Utilize short-lived credentials and OIDC for cloud access rather than long-lived local `.aws/credentials` files.