Malicious Packages Steal Cloud Keys, Wallets & Hackers Credentials
Threat actors have successfully infiltrated three major open-source ecosystems, deploying 34 malicious packages designed to covertly steal sensitive data. These packages have been exfiltrating cloud...
Threat actors have successfully infiltrated three major open-source ecosystems, deploying 34 malicious packages designed to covertly steal sensitive data. These packages have been exfiltrating cloud credentials, SSH keys, and blockchain wallet information from developers, who remained largely unaware of the compromise. Further details on this campaign are available in The campaign, named TrapDoor, was first disclosed on May 24, 2026 by the security research team at Socket.dev, who found the poisoned packages spread across npm, PyPI, and Crates.io.
With 384 published versions in total, the operation targeted developers in cryptocurrency, DeFi, Solana, AI, and security research. Simply installing or building a package was enough to trigger the malicious code, with no further action required from the victim.
What made TrapDoor particularly dangerous was how naturally it fit into normal developer workflows. The attackers used each ecosystem’s own built-in mechanisms to trigger malicious logic automatically.
In PyPI, the code fired the moment a package was imported. In Crates.io, it ran during the compilation phase. In npm, it launched silently right after installation completed without raising any alerts.
Analysts at SlowMist, using their MistEye threat intelligence system, identified malicious package activity across all three ecosystems and conducted a deep technical analysis.
SlowMist said in a report shared with Cyber Security News (CSN) that they examined three representative samples: git-config-sync from PyPI, token-usage-tracker from npm, and sui-framework-helpers from Crates.io.
Their findings revealed a campaign built around one core philosophy: develop the attack once and reuse it across every ecosystem.
The stolen data included AWS keys, GitHub tokens, OpenAI API keys, SSH private keys, blockchain wallet files, browser login databases, and environment variables containing passwords or secrets.
The npm sample went further, attempting to crack weak passwords on Ethereum keystore files and execute remote commands on infected machines.
The combined scope of theft was broad enough to give attackers access to both personal accounts and any cloud infrastructure a developer managed.
The infrastructure behind TrapDoor was deliberately designed to avoid detection. Rather than relying on unfamiliar domains, the attackers routed stolen data through GitHub Pages, GitHub Gist, and webhook.site, all services that enterprise firewalls routinely allow and trust.
This caused exfiltrated credentials to blend into normal-looking traffic, making it difficult for security tools to flag anything suspicious.
Hackers Use 34 Malicious Packages
The TrapDoor campaign followed the same three-stage pattern across all ecosystems: trigger, collect, and exfiltrate. Each package was disguised as a legitimate developer tool.
The Python package git-config-sync fired a malicious thread within seconds of being loaded, using a random delay to avoid suspicion.
It scanned directories like .ssh, .aws, and .ethereum using six pattern-matching groups designed to catch private keys, mnemonic phrases, API tokens, and passwords.
The Rust package sui-framework-helpers activated during compilation, targeting Sui, Aptos, and Solana wallet files before encoding stolen data with a XOR cipher and uploading it to a public GitHub Gist.
The npm package token-usage-tracker was the most capable of the three, forking a hidden background process after installation and sweeping browser credentials, cloud keys, and wallet data across a broad set of file paths.
AI Coding Assistants Turned Into Propagation Tools
What set the npm sample apart was a sophisticated propagation module that went far beyond simple credential theft.
Once installed, token-usage-tracker rewrote .cursorrules and CLAUDE.md files in the victim’s project directories, injecting instructions that manipulated AI coding tools like Cursor and Claude Code into executing malicious actions during future sessions.
Zero-width characters, invisible to the human eye, were embedded in these files to carry encoded payloads that AI models could still interpret and execute.
The package also injected commands into Git hooks so that every git pull or branch switch silently downloaded fresh malicious code. Shell files like .bashrc and .zshrc were modified to run another attacker-controlled package, dev-env-bootstrapper, every hour.
Developers who suspect exposure should remove affected packages, rotate all potentially compromised credentials, and clean .cursorrules, CLAUDE.md, Git hooks, and shell files of any references to P-2024-001, ddjidd564, or dev-env-bootstrapper.
Security teams should also add TrapDoor-related indicators to their CI/CD detection rules immediately.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | ddjidd564[.]github[.]io | Attacker-controlled GitHub Pages domain used for remote configuration distribution |
| URL | https[:]//ddjidd564[.]github[.]io/defi-security-best-practices/config.json | Remote configuration endpoint shared by Python and npm samples for webhook retrieval |
| URL | https[:]//raw[.]githubusercontent[.]com/ddjidd564/defi-security-best-practices/main/config.json | Raw GitHub mirror of the attacker’s configuration file |
| URL | https[:]//ddjidd564[.]github[.]io/defi-security-best-practices/priority_targets.json | Priority target configuration file used by the npm sample |
| URL | https[:]//raw[.]githubusercontent[.]com/ddjidd564/defi-security-best-practices/gh-pages/scan-bundled.js | Malicious propagation script injected via Git hooks |
| URL | https[:]//raw[.]githubusercontent[.]com/ddjidd564/defi-security-best-practices/gh-pages/scan.js | Secondary malicious script hosted on attacker-controlled GitHub repository |
| URL | https[:]//webhook[.]site/2ada14c8-00f6-43ce-9ad6-f5dc15952246 | Webhook exfiltration receiver endpoint (fallback channel) |
| URL | https[:]//webhook[.]site/7513bf3d-7092-4739-bf15-a8f779a75546 | Webhook exfiltration receiver endpoint (fallback channel) |
| URL | https[:]//webhook[.]site/d1652693-2eb8-4281-b9e8-cffff36da2f8 | Webhook exfiltration receiver endpoint (fallback channel) |
| File Name | git-config-sync | Malicious PyPI package disguised as a Git configuration sync tool |
| File Name | token-usage-tracker | Malicious npm package disguised as an AI token usage tracker |
| File Name | sui-framework-helpers | Malicious Crates.io package disguised as a Sui Move development helper |
| File Name | dev-env-bootstrapper | Secondary malicious npm package used for hourly persistent re-infection |
| File Path | /tmp/.cargo_build_log_<pid>.hex | Temporary on-disk copy of XOR-encoded stolen wallet data (Rust sample) |
| File Path | ~/.local/share/.p2024_integrity | Marker file used by npm sample to prevent repeated infection within 24 hours |
| Attack Marker | P-2024-001 | Unified attack marker string used across npm payloads, shell RC functions, and AI context files |
| Encryption Key | cargo-build-helper-2026 | Fixed XOR key used by the Rust sample to obfuscate exfiltrated wallet data |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.