TrapDoor Campaign: Sophisticated Cross-Ecosystem Supply Chain Attack Targets Developers Across npm, PyPI, and Crates.io

In a striking demonstration of the evolving threats in the open source ecosystem, security researchers have uncovered a coordinated supply chain attack dubbed TrapDoor. This campaign has deployed more than 34 malicious packages, encompassing hundreds of versions, across three major package registries: npm, PyPI, and Crates.io. Activity intensified around May 22, 2026, marking one of the most ambitious cross-platform operations observed in recent months.

The Scope and Scale of the Attack

The TrapDoor campaign stands out for its broad reach and methodical execution. Researchers identified approximately 34 to 36 malicious packages with over 384 related versions and artifacts. These packages were published in rapid waves from clusters of accounts, allowing the malware to spread quickly before detection.

The earliest confirmed activity traces back to May 22, 2026, with packages appearing first on PyPI before expanding aggressively into npm and Crates.io. Many packages were designed to masquerade as legitimate developer tools, security utilities, or specialized libraries tailored to high-value targets in the cryptocurrency, decentralized finance (DeFi), Solana, Sui, Move, and artificial intelligence sectors.

Targeting Strategy and Victim Profile

Attackers specifically focused on developers working in lucrative and technically complex fields. Package names often evoked trust and relevance, such as tools for wallet security checks, LLM context handling, blockchain framework helpers, or AI development utilities. This social engineering approach increased the likelihood that targeted professionals would install the packages during routine workflows.

By hitting multiple ecosystems simultaneously, the campaign maximized its potential impact. Crypto and DeFi developers frequently manage sensitive wallet keys and blockchain credentials, while AI engineers handle valuable model configurations and cloud resources. The overlap in these communities amplified the risk, as many professionals work across JavaScript, Python, and Rust environments.

Technical Execution and Payload Delivery

TrapDoor employs ecosystem-specific techniques to ensure reliable execution and stealth:

• npm packages: Leverage postinstall hooks to execute a core JavaScript payload (often named trap-core.js). This script scans the local environment for credentials immediately upon installation.
• PyPI packages: Utilize import-time execution of remote JavaScript payloads, allowing dynamic behavior during standard Python workflows.
• Crates.io (Rust) packages: Inject malicious logic into build.rs scripts, targeting developers working with Sui and Move frameworks for blockchain applications.

The malware focuses on harvesting a wide array of sensitive data, including cryptocurrency wallets and keystores, SSH keys, cloud provider tokens (such as AWS credentials), GitHub access tokens, browser-stored information, and environment variables. Some variants validate stolen secrets against live APIs to confirm their value before exfiltration.

Advanced Evasion and AI Integration Tactics

Beyond traditional credential theft, the campaign demonstrates sophisticated evasion methods. Researchers noted the use of hidden instructions in AI coding assistant configuration files, such as CLAUDE.md and .cursorrules. These files can influence tools like Cursor or Claude to generate or accept compromised code, effectively turning AI assistants into unwitting vectors for further spread.

Attackers also attempted to propagate the malicious packages through pull requests on developer repositories, blending into normal collaboration workflows. Unicode tricks and other obfuscation methods helped the payloads evade basic code reviews and automated scanners.

Discovery, Response, and Mitigation

Socket Security's research team proactively identified and tracked the campaign, reporting malicious packages to the respective registries. Many have since been removed, though some variants may have remained live during the initial discovery phase. Security teams recommend immediate actions for potentially affected organizations:

• Audit dependency trees for suspicious packages
• Rotate exposed credentials, particularly SSH keys, cloud tokens, and wallet seeds
• Scan local environments for signs of data exfiltration
• Implement stricter supply chain security practices, including automated risk scanning tools

This incident underscores the persistent challenges in open source supply chain security. As development accelerates with AI assistance and multi-language toolchains, attackers are adapting by launching coordinated, cross-ecosystem campaigns that exploit trust in package repositories.

Broader Implications for Software Supply Chain Security

The TrapDoor campaign highlights several emerging trends in 2026 cybersecurity threats. First, the willingness of attackers to invest in multi-registry operations signals increasing sophistication and resource availability. Second, the explicit targeting of AI and crypto developers reflects a strategic focus on high-value intellectual property and financial assets.

Organizations are urged to adopt comprehensive supply chain security measures. This includes using tools that provide deep package analysis, enforcing signed and verified dependencies, maintaining strict least-privilege access for developer accounts, and regularly monitoring for anomalous package behavior.

As the digital economy grows more interconnected, incidents like TrapDoor serve as critical reminders that securing the software supply chain requires vigilance across every layer of the development process. Developers and security teams must remain proactive to protect both their own assets and the broader ecosystem they support.