Analyzing “TrapDoor”: A Sophisticated Multi-Ecosystem Supply Chain Campaign
A highly coordinated software supply chain attack is currently targeting the developer ecosystem, specifically aimed at compromising high-value credentials within the Web3 and AI sectors. This campaign, identified by security researchers at Socket, has been dubbed “TrapDoor.” It has successfully infiltrated at least 34 open-source packages, spanning hundreds of malicious versions across npm, PyPI, and Crates.io.
Cross-Ecosystem Execution Vectors
Unlike many targeted attacks that focus on a single language runtime, TrapDoor demonstrates a sophisticated understanding of different package manager lifecycles. The campaign began on May 22, 2026, with the deployment of the eth-security-auditor package on PyPI, subsequently expanding into a multi-platform offensive.
The attackers utilize ecosystem-specific hooks to ensure malicious code executes during standard development workflows, effectively turning “install” or “build” commands into exploitation triggers:
- npm: Leverages
postinstallscripts to trigger payload execution immediately after package installation. - PyPI: Employs malicious logic that executes remote JavaScript during the package import process.
- Crates.io: Abuses the Rust
build.rsscript, allowing code to execute during the compilation phase.
At the heart of this operation is a shared malicious payload known as trap-core.js. This script functions as a modular stealer, scanning the host filesystem for sensitive artifacts, validating the quality of stolen data, and establishing persistent access to the developer’s machine.

Data Exfiltration and Persistence Mechanisms
The primary objective of TrapDoor is the theft of cryptographic assets and infrastructure access tokens. The malware performs targeted sweeps for:
- Identity & Access: SSH private keys, AWS access keys, GitHub personal access tokens (PATs), and cloud service credentials.
- Crypto Assets: Wallet data and private keys for major ecosystems, including Solana, Sui, and Aptos.
- Session Data: Browser-stored credentials, cookies, and active session information.
- Development Context: Environment variables and sensitive API keys stored in
.envfiles.
To ensure long-term access, the campaign employs several persistence techniques. These include hijacking Git hooks, modifying shell configuration files (e.g., .zshrc or .bashrc), scheduling cron jobs, and creating systemd services. Furthermore, by stealing SSH credentials, the attackers facilitate lateral movement, potentially pivoting from a single developer workstation to entire production infrastructures.
Exploiting the AI Development Workflow
In a notable evolution of supply chain tactics, TrapDoor targets the burgeoning field of AI-assisted coding. The attackers inject malicious instructions into configuration files used by AI coding assistants, such as .cursorrules and CLAUDE.md.
By using hidden Unicode characters to evade simple text-based detection, the attackers trick AI tools into executing “security scans” that are actually data exfiltration commands. There have also been reports of attackers attempting to inject these malicious guidelines directly into legitimate GitHub repositories via deceptive pull requests, masquerading as helpful documentation improvements.
Mitigation Strategies for Developers
The TrapDoor campaign underscores the reality that modern threats target the entire developer environment, not just the final application code. To defend against these evolving tactics, organizations should adopt a “Zero Trust” approach to dependencies:
- Dependency Auditing: Implement strict vetting processes for new packages, focusing on package age, download velocity, and maintainer reputation.
- Behavioral Monitoring: Utilize security tooling capable of detecting anomalous
postinstallorbuild.rsactivity. - Credential Isolation: Avoid storing high-privilege secrets in local environment variables; utilize dedicated secret management services.
- Least Privilege: Regularly rotate API keys and limit the scope of SSH keys used on development machines.
Targeted Package Reference Table
The following table lists several identified malicious packages used in the campaign, categorized by their target ecosystem and deceptive theme.
| Ecosystem | Package Name | Deceptive Theme / Lure |
|---|---|---|
| npm | async-pipeline-builder | Generic asynchronous workflow utilities |
| npm | chain-key-validator | Blockchain/cryptography validation helper |
| npm | llm-context-compressor | AI/LLM optimization tool |
| npm | wallet-security-checker | Deceptive “security” utility for wallets |
| PyPI | eth-security-auditor | Ethereum project security auditing (Initial vector) |
| PyPI | defi-risk-scanner | DeFi risk analysis tool |
| Crates | sui-framework-helpers | Development tools for the Sui ecosystem |
| Crates | move-analyzer-build | Analysis tools for the Move language |