TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via Npm, PyPI, and CratesIO

The TrapDoor operation marks one of the most extensive cross‑ecosystem supply‑chain assaults to date, affecting over 384 package versions in three major registries. First observed on May 22, 2026, the campaign targets developers working on cryptocurrency, decentralized finance, and artificial‑intelligence projects. By masquerading as legitimate tooling—such as "async-pipeline-builder" for npm or "cryptowallet-safety" for PyPI—the attackers gain immediate access to a global audience of engineers, positioning themselves to harvest a wealth of privileged data.

Technical sophistication underpins the campaign’s success. npm packages deploy a shared JavaScript payload (trap‑core.js) that scans for AWS and GitHub tokens, validates them, and creates persistence via cron jobs, systemd services, and Git hooks. Python modules auto‑execute on import, pulling remote JavaScript from a GitHub Pages domain, while Rust crates leverage malicious build.rs scripts to encrypt keystores and exfiltrate them to GitHub Gists. An especially novel vector involves embedding hidden instructions in .cursorrules and CLAUDE.md files, coaxing AI assistants into running secret‑discovery scans that further broaden the attack surface.

For enterprises and open‑source maintainers, TrapDoor underscores the urgency of rigorous supply‑chain hygiene. Continuous monitoring of package registries, automated provenance checks, and strict validation of post‑install scripts are essential defenses. Organizations should enforce least‑privilege credentials, employ runtime detection tools for anomalous token usage, and educate developers about the risks of importing unverified dependencies. As threat actors blend traditional typosquatting with AI‑driven exploitation, a proactive, layered security strategy becomes the only viable shield against such multi‑vector incursions.