- A coordinated supply chain attack, codenamed TrapDoor, has deployed malware across three major developer platforms: npm, PyPI, and Crates.io.
- The campaign targets crypto, DeFi, Solana, and AI developers to steal credentials, wallets, and secrets via malicious packages.
- Attackers use sophisticated persistence methods, including AI assistant trickery via hidden files, to maintain access and move laterally.
- Over 34 malicious packages across 384 versions have been identified, with the earliest activity recorded on May 22, 2026.
A sophisticated new malware campaign has targeted developers across three major software ecosystems, according to a recent report. The coordinated attack, dubbed TrapDoor, began distributing credential-stealing packages on May 22, 2026, via npm, PyPI, and Crates.io.
Consequently, the malicious operation spans more than 34 packages across over 384 versions. The packages are designed to masquerade as legitimate developer tools for crypto and AI workflows.
These malicious modules specifically target developers in crypto, DeFi, Solana, and AI communities. Their primary goal is to steal developer secrets, cryptocurrency wallets, SSH keys, and cloud credentials.
Several npm packages deploy a shared payload called trap-core.js. This script scans for credentials, validates stolen AWS and GitHub tokens, and plants persistence mechanisms.
The campaign also uses a clever technique to exploit AI coding assistants. It implants hidden instructions in project files like .cursorrules and CLAUDE.md to trigger malicious actions.
Meanwhile, the Rust crates search for local keystores and exfiltrate encrypted data to GitHub Gists. They leverage build scripts to execute malicious code upon installation.
Similarly, the Python packages auto-execute on import to download remote JavaScript payloads. This method allows attackers to update the malware’s behavior without republishing packages.
The complete list of identified packages reveals names tailored to appear relevant to crypto development and security. This typosquatting strategy aims to reach a broad audience of unsuspecting developers.
The operation demonstrates how attackers are combining traditional methods with newer developer-environment attack paths. “TrapDoor shows how attackers are combining traditional package typosquatting with newer developer-environment attack paths,” Socket said.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
