TrapDoor Hits npm, PyPI, Crates.io—34 Packages Target AI Devs

A coordinated supply chain attack dubbed TrapDoor has been spreading credential-stealing malware through 34 malicious packages across npm, PyPI, and Crates.io since May 22, targeting developers working on cryptocurrency, DeFi, and AI projects.

Security researchers at Socket identified the campaign spanning more than 384 versions of trojanized packages, with names designed to blend into legitimate development workflows. The attackers are stealing SSH keys, crypto wallet data, AWS credentials, GitHub tokens, and environment variables from compromised developer machines.

What TrapDoor Steals

The malware targets an extensive list of sensitive data:

• SSH keys and configuration files
• Cryptocurrency wallets including Sui, Solana, and Aptos keystores
• Cloud credentials from AWS, GitHub, and other services
• Browser login databases and extension data
• Environment variables and API keys
• Local development configuration files

This attack follows a pattern we've seen accelerating in 2026. Just last week, Laravel Lang packages were compromised in a similar credential-stealing campaign, and the Shai-Hulud malware source code leak has enabled copycat attacks across package ecosystems.

Malicious Packages by Ecosystem

Crates.io (6 packages): move-analyzer-build, move-compiler-tools, move-project-builder, sui-framework-helpers, sui-sdk-build-utils, sui-move-build-helper

npm (20 packages): async-pipeline-builder, chain-key-validator, crypto-credential-scanner, defi-env-auditor, eth-wallet-sentinel, llm-context-compressor, prompt-engineering-toolkit, solidity-deploy-guard, token-usage-tracker, wallet-security-checker, web3-secrets-detector, and others

PyPI (7 packages): cryptowallet-safety, defi-risk-scanner, env-loader-cli, eth-security-auditor, git-config-sync, solidity-build-guard, data-pipeline-check

The package names specifically target developers in crypto, DeFi, Solana, and AI communities—exactly the kind of professionals who would install something called "prompt-engineering-toolkit" or "wallet-security-checker" without much scrutiny.

How the Attack Works

Each ecosystem uses a different execution method, making detection harder:

npm packages use postinstall hooks and a shared payload called "trap-core.js" that scans for credentials, validates AWS and GitHub tokens, attempts SSH-based lateral movement, and establishes persistence through cron jobs, systemd services, Git hooks, and .cursorrules files.

Rust packages search for local keystores at build time, encrypt data using hardcoded XOR keys, and exfiltrate information to GitHub Gists via build.rs scripts.

Python packages auto-execute on import and download JavaScript from attacker-controlled GitHub Pages domains, executing it via node -e to enable flexible payload updates without releasing new package versions.

AI Assistants Weaponized

The most unusual aspect of this campaign is the deliberate targeting of AI coding assistants. Attackers implanted hidden instructions in .cursorrules and CLAUDE.md files, attempting to trick AI tools into running a "security scan" that actually exfiltrates discovered secrets.

The attackers opened pull requests on popular AI projects including browser-use/browser-use, langchain-ai/langchain, and langflow-ai/langflow, hoping to get these poisoned configuration files merged into codebases where AI assistants would execute them.

This represents a new attack vector that security teams haven't traditionally monitored. Organizations using AI coding assistants should audit any .cursorrules, CLAUDE.md, or similar AI configuration files in their repositories. The Megalodon GitHub CI/CD attack we covered earlier this week similarly targeted developer automation, indicating a broader trend of attackers going after development infrastructure.

Why This Matters

Supply chain attacks against package managers have become one of the most effective initial access vectors for credential theft. Developers often install packages with minimal vetting, especially when names suggest security or productivity tooling.

Socket detected TrapDoor releases in an average of 5 minutes and 56 seconds, with some detections happening in under a minute. That's impressively fast, but the attackers clearly expect some downloads to occur before takedowns—and even a handful of compromised developer machines can yield significant credential hauls.

Recommended Actions

1. Audit dependencies installed since May 22 against the published package lists
2. Rotate credentials if any TrapDoor packages were installed, including SSH keys, API tokens, and cloud credentials
3. Check AI configuration files in repositories for hidden instructions
4. Enable package signing verification where supported
5. Use lockfiles and dependency pinning to prevent silent updates

For organizations building in the crypto or AI space, consider implementing a package approval process for new dependencies. The era of npm install whatever-looks-useful needs to end.

The coordinated nature of this attack—hitting three major package ecosystems simultaneously with ecosystem-specific payloads—suggests a well-resourced operation. Whether financially motivated or part of a broader intelligence-gathering campaign remains unclear, but the targeting of AI and crypto developers points toward either financial theft or access to cutting-edge technology projects.