Security researchers identified a coordinated supply-chain campaign known as TrapDoor that began on May 22, 2026, targeting developer tooling used by cryptocurrency, DeFi, AI and security projects. The campaign deployed 34 malicious packages and more than 384 versions across npm, PyPI and Crates.io.
The attack escalated beyond ordinary dependency compromise by targeting both software packages and AI-assisted development workflows. TrapDoor stole credentials, wallet material and access tokens while also establishing persistence, creating risks for project maintainers, enterprise teams and end users.
Malicious Packages Exploit Developer Workflows
The campaign moved at high speed, with malicious versions detected in a median time of 5 minutes and 27 seconds. The fastest observed detection came in just 58 seconds, showing both rapid attacker deployment and unusually quick response from the security community.
🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.​io.
Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems.
TrapDoor targets… pic.twitter.com/0CI758NJ6T
— Socket (@SocketSecurity) May 24, 2026
TrapDoor used execution techniques tailored to each software ecosystem. npm packages ran a JavaScript payload called trap-core.js through postinstall hooks, scanning for secrets, validating AWS and GitHub tokens, attempting SSH-based lateral movement and creating persistence through cron, systemd and Git hooks.
PyPI packages took a different route, executing on import and fetching a remote JavaScript loader from a GitHub Pages domain. That remote-loader design allowed attackers to change behavior without publishing new PyPI releases, making the campaign more adaptable after installation.
Rust crates abused build.rs scripts to search for Sui, Solana and Aptos keystores. The crates encrypted findings with the hardcoded XOR key cargo-build-helper-2026, then exfiltrated data through GitHub Gists under the ddjidd564 account.
AI Assistant Configs Become an Attack Surface
The campaign also planted malicious AI configuration files, including .cursorrules and CLAUDE.md, using invisible Unicode characters and bidirectional controls. Those files appeared blank to developers but injected hidden instructions into AI assistants’ context.
The injected instructions framed credential extraction as a mandatory security scan. When developers requested coding help, the compromised assistant could run shell commands, collect environment variables, SSH keys and configuration files, then send them to attacker infrastructure.
TrapDoor targeted cryptocurrency wallets, SSH keys, cloud credentials, GitHub tokens, API keys and browser data. Wallet material linked to Sui, Solana, Aptos, MetaMask and browser wallets was specifically at risk, making the campaign especially dangerous for crypto teams.
The campaign marker “P-2024-001” appeared across registries and pull requests. That repeated indicator helped connect activity across ecosystems, even as the attackers blended exfiltration and command-and-control traffic with legitimate GitHub infrastructure.
The broader risk is downstream compromise. Stolen GitHub tokens could enable malicious code injection, poisoned repositories or fraudulent package publication, while validated cloud credentials could support deeper intrusion and long-lived backdoors.
For responders, developer machines and AI assistant configurations now need to be treated as part of the security perimeter. Teams should rotate tokens, audit keys, review CI/CD activity and monitor anomalous repository pushes to limit lateral movement and downstream exposure.
