Executive Summary
A sophisticated and multi-faceted software supply chain attack, designated TrapDoor, has been detected propagating credential-stealing malware through the npm, PyPI, and CratesIO package repositories. This campaign, first observed in late May 2026, leverages malicious packages to compromise developer environments, exfiltrate sensitive credentials, and establish persistent access. The attack is notable for its cross-ecosystem reach, advanced persistence mechanisms, and innovative abuse of AI coding assistants for covert data exfiltration. The primary targets are developers and organizations in the crypto, DeFi, Solana, and AI sectors, but the campaign’s global distribution model means any user of the affected packages is at risk. Immediate action is required to audit dependencies, rotate credentials, and monitor for indicators of compromise.
Threat Actor Profile
The TrapDoor campaign exhibits hallmarks of a highly organized and technically adept threat actor. While no direct attribution to a known Advanced Persistent Threat (APT) group has been established as of this report, the operation demonstrates a deep understanding of software development workflows, package ecosystem internals, and modern persistence techniques. The actor’s use of ecosystem-specific payloads, rapid versioning, and AI-assisted exfiltration suggests a well-resourced team with access to both offensive security expertise and automation infrastructure. The campaign’s global reach and focus on high-value developer credentials indicate a financially or strategically motivated adversary, potentially seeking access to sensitive codebases, cloud infrastructure, or cryptocurrency assets.
Technical Analysis of Malware/TTPs
The TrapDoor malware campaign exploits the trust inherent in open-source package ecosystems by publishing malicious packages to npm, PyPI, and CratesIO. Each ecosystem is targeted with tailored techniques:
In npm, malicious packages such as crypto-credential-scanner, defi-env-auditor, and wallet-security-checker deploy a shared JavaScript payload (trap-core.js) via postinstall hooks. Upon installation, the payload enumerates environment variables, local configuration files, and credential stores, extracting AWS keys, GitHub tokens, SSH keys, and cryptocurrency wallet secrets. The malware validates credentials in real time using API calls, attempts SSH-based lateral movement, and establishes persistence through the creation or modification of .cursorrules, CLAUDE.md, Git hooks, shell profile scripts, systemd units, and cron jobs.
In PyPI, packages like cryptowallet-safety, defi-risk-scanner, and env-loader-cli execute code at import time, downloading a JavaScript payload from the attacker-controlled domain ddjidd564.github[.]io and executing it via node -e. This dynamic payload delivery allows the attacker to update malicious logic without republishing the package, complicating detection and remediation. The payload mirrors the credential harvesting and persistence tactics seen in the npm variant.
In CratesIO, Rust crates such as move-analyzer-build and sui-framework-helpers leverage build.rs scripts to execute code during the build process. These scripts search for local keystores, encrypt harvested data using a hardcoded XOR key, and exfiltrate the results to GitHub Gists, exploiting the ubiquity and trust of GitHub’s infrastructure for command-and-control (C2) and data exfiltration.
A unique aspect of TrapDoor is its abuse of AI coding assistants. The malware implants .cursorrules and CLAUDE.md files containing hidden instructions designed to trick AI tools into performing “security scans” that actually result in the discovery and exfiltration of secrets. The attacker has also opened pull requests to high-profile AI and developer projects (such as langchain-ai/langchain and langflow-ai/langflow) to test whether AI-powered code review bots will inadvertently execute or propagate these malicious instructions.
Persistence is achieved through multiple redundant mechanisms, including cron jobs, systemd services, and modifications to developer workflow hooks. Lateral movement is attempted via SSH using harvested credentials, and all exfiltrated data is validated and encrypted before being sent to attacker-controlled infrastructure.
Exploitation in the Wild
The TrapDoor campaign has been active since at least May 22, 2026, with over 34 distinct malicious packages and more than 384 compromised versions published across the three major ecosystems. According to open-source intelligence from The Hacker News, Socket.dev, and other sources, the malware has been observed in over 35,000 public and private repositories, indicating widespread exploitation. The campaign’s focus on the crypto, DeFi, Solana, and AI developer communities is evident from the package naming conventions and the targeting of repositories and projects in these sectors.
Notably, the attacker has demonstrated a high degree of operational security and adaptability, rapidly publishing new versions and variants as previous ones are detected and removed. The use of dynamic payload delivery via GitHub Pages and exfiltration via GitHub Gists further complicates detection and takedown efforts. The campaign’s abuse of AI coding assistants represents a novel exploitation vector, with the potential to bypass traditional security controls and propagate malicious logic through automated code review and integration workflows.
Victimology and Targeting
The primary victims of the TrapDoor campaign are developers and organizations operating in the cryptocurrency, decentralized finance (DeFi), Solana blockchain, and artificial intelligence sectors. The attack leverages the open and global nature of package repositories, making it difficult to geographically constrain the impact. Any developer or CI/CD pipeline that installed or imported the affected packages between May 22 and May 25, 2026, is at risk of compromise.
The campaign’s targeting of high-profile AI and developer tooling projects via malicious pull requests suggests an intent to compromise not only individual developers but also the broader software supply chain. By embedding malicious instructions in markdown files and leveraging AI assistants, the attacker seeks to exploit the growing reliance on automated code analysis and integration tools, potentially enabling the propagation of malware across organizational and ecosystem boundaries.
Mitigation and Countermeasures
Organizations and developers must take immediate action to mitigate the risk posed by the TrapDoor campaign. Begin by auditing all dependencies for the presence of the listed malicious packages and their versions. Remove any affected packages from your environments and codebases without delay. Rotate all potentially compromised credentials, including AWS keys, GitHub tokens, SSH keys, and cryptocurrency wallet secrets, if any of the malicious packages were installed or imported.
Conduct a thorough search for persistence artifacts such as .cursorrules, CLAUDE.md, modified Git hooks, shell profile scripts, systemd units, and cron jobs. Monitor network traffic for suspicious outbound connections to GitHub Gists and the domain ddjidd564.github[.]io. Review recent GitHub pull requests and contributions for hidden instructions or suspicious markdown files that could be leveraged for AI-assisted exfiltration.
Implement strict dependency management policies, including the use of allowlists, automated vulnerability scanning, and continuous monitoring of package integrity. Educate developers about the risks of supply chain attacks and the importance of scrutinizing third-party dependencies, especially those with limited provenance or recent publication history. Consider deploying endpoint detection and response (EDR) solutions capable of identifying anomalous process execution and persistence mechanisms.
References
- The Hacker News: TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO
- Socket.dev: TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages
- CyberSecurityNews: Hackers Compromised 34 Packages in npm, PyPI, and Crates
- Reddit: TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware
- X (Twitter): The Hacker News
- LinkedIn: The Hacker News Post
- SOCRadar: TrapDoor: Malicious npm, PyPI, Crates.io Packages Target Secrets and AI Tooling
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure the resilience of their digital ecosystem. For more information about how Rescana can help safeguard your organization, or for any questions regarding this advisory, please contact us at ops@rescana.com.
