34 Packages Compromised in New npm, PyPI, Hackers Crates

A new, active supply chain attack, dubbed the TrapDoor campaign, is deploying 34 malicious packages and over 384 related versions across npm, PyPI, and Crates.io. Its objective is to steal developer credentials and cryptocurrency wallets.

The operation explicitly targets developers in the crypto, DeFi, Solana, and AI communities by disguising malware as generic developer tools and security scanners.

The campaign’s earliest observed component was the PyPI package [email protected], published on May 22, 2026, before expanding rapidly into other repositories. Packages were uploaded in distinct waves across all three registries, utilizing deceptive names like prompt-engineering-toolkit, solidity-deploy-guard, and defi-threat-scanner to heavily feign legitimacy within adjacent developer communities.

Socket’s detected these TrapDoor releases with a median detection time of 5 minutes and 27 seconds, effectively classifying the entire campaign as malicious before widespread adoption could occur.

Cross Ecosystem Attack Vectors

The TrapDoor campaign utilizes distinct, ecosystem-specific execution paths to maximize its reach during standard developer installation and build workflows. By tailoring the attack vector to the specific package registry, the threat actor ensures silent execution occurs before developers can properly inspect the underlying dependencies.

TrapDoor attempts to harvest an extensive array of developer data, specifically targeting Sui, Solana, and Aptos crypto wallets, alongside SSH keys, browser profiles, and AWS environment variables.

The 1,149-line shared npm payload, trap-core.js, actively ensures long-term access by establishing complex persistence through systemd services, cron jobs, Git hooks, and shell hooks.

Furthermore, stolen SSH keys are subsequently repurposed to execute automated lateral movement, effectively transforming single compromised workstations into persistent gateways for broader corporate network breaches.

A defining characteristic of TrapDoor is its deliberate targeting of AI coding assistants via modified .cursorrules and CLAUDE.md project files.

The threat actor utilizes zero-width Unicode characters to obscure malicious prompts, tricking the AI into performing hostile credential exfiltration under the guise of executing an automated project security scan, Socket said.

To scale this specific attack vector, the attacker used the GitHub account ddjidd564 to submit deceptive pull requests containing these poisoned configuration files to prominent open-source AI projects like LangChain, MetaGPT, and OpenHands.

The attacker maintains a sophisticated command and control architecture on GitHub Pages, hosting active malicious configuration files alongside a detailed AUDIT-MATRIX.md framework design document.

This operational playbook describes a “Universal AI Agent Extraction Framework” that strategically relies on a disguise layer to map stealthy credential theft to seemingly benign developer automation workflows.

To maximize the value of exfiltrated data, the payloads actively validate stolen AWS and GitHub tokens via live API queries while utilizing advanced cryptography across the different ecosystems to evade standard network detection.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.