Researchers from Socket have discovered a coordinated supply chain attack, codenamed TrapDoor, that simultaneously affected the three largest package registries — npm, PyPI and Crates.io. According to the researchers, the campaign includes more than 34 malicious packages across 384+ versions, aimed at stealing cryptocurrency wallets, SSH keys, cloud credentials and environment variables. Developers working on cryptocurrency projects, DeFi tools, the Solana platform and AI tooling are advised to immediately check their dependencies for the packages listed below.

Scope and timeline of the campaign

According to Socket, the first TrapDoor activity was recorded on 22 May 2026 at 20:20 UTC. New packages were published in waves from a cluster of accounts in rapid succession — a tactic typical for coordinated supply chain attacks, where the attacker seeks to maximize reach before detection.

The full list of malicious packages is distributed across ecosystems as follows:

• Crates.io (6 packages): move-analyzer-build, move-compiler-tools, move-project-builder, sui-framework-helpers, sui-move-build-helper, sui-sdk-build-utils
• npm (21 packages): async-pipeline-builder, build-scripts-utils, chain-key-validator, crypto-credential-scanner, defi-env-auditor, defi-threat-scanner, deployment-key-auditor, dev-env-bootstrapper, eth-wallet-sentinel, llm-context-compressor, mnemonic-safety-check, model-switch-router, node-setup-helpers, project-init-tools, prompt-engineering-toolkit, solidity-deploy-guard, token-usage-tracker, wallet-backup-verifier, wallet-security-checker, web3-secrets-detector, workspace-config-loader
• PyPI (7 packages): cryptowallet-safety, data-pipeline-check, defi-risk-scanner, env-loader-cli, eth-security-auditor, git-config-sync, solidity-build-guard

The package names are chosen to look like legitimate tools for cryptocurrency development, security auditing, environment setup and AI-related work. The packages in Crates.io deliberately mimic tools from the Sui and Move ecosystems.

Technical implementation by ecosystem

npm: shared trap-core.js payload

Several npm packages use postinstall hooks to launch a shared JavaScript module called trap-core.js. This module does the following: scans the file system for developer credentials and secrets, validates stolen AWS and GitHub tokens via calls to the respective APIs, establishes persistence via cron jobs, systemd services and Git hooks, and also performs lateral movement across the network via SSH.

Crates.io: exfiltration via GitHub Gists

The malicious Rust packages use the Cargo build script mechanism (build.rs) to run malicious code at compile time. The malware searches for local key stores, encrypts the data it finds using a hard-coded XOR key, and sends it to GitHub Gists. The use of build.rs — a standard Cargo mechanism — makes malicious activity difficult to detect without specialized analysis.

PyPI: delegating execution to remote JavaScript

The Python packages execute automatically upon import. Their main task is to download JavaScript from the attacker-controlled domain ddjidd564.github[.]io (GitHub Pages) and run it via node -e. This approach allows the attacker to change the behavior of the malicious code without publishing new versions of the package to PyPI — it is enough to modify the content on GitHub Pages.

Attack on AI assistants via configuration file poisoning

The most unconventional element of the campaign is the introduction of .cursorrules and CLAUDE.md files containing hidden instructions designed to manipulate AI coding assistants. These files contain directives encouraging the AI to launch a “security check” that in reality results in discovering and exfiltrating secrets.

According to Socket, the attacker opened pull requests in popular AI-related projects, including browser-use/browser-use, langchain-ai/langchain and langflow-ai/langflow. The researchers believe the attacker was testing the ability to inject malicious configuration files through standard open-source contribution workflows. If such files are merged into a repository, AI coding tools will automatically parse the hidden instructions and execute them. This assessment comes from a single research source and requires independent confirmation.

Indicators of compromise

• Domain: ddjidd564.github[.]io — used to host remote JavaScript payloads
• Files: trap-core.js — shared malicious module in npm packages
• Persistence mechanisms: .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd services, cron jobs, SSH configuration

Impact assessment

Developers working on cryptocurrency projects, DeFi protocols, the Solana blockchain, as well as AI tools, face the highest risk. Compromise of a developer workstation can lead to the leakage of private keys for crypto wallets, AWS cloud credentials, GitHub tokens and SSH keys — opening the door to further attacks on an organization’s infrastructure. The lateral movement mechanism over SSH means that a single infected machine can become an entry point into a corporate network.

Recommendations

1. Check your dependencies: audit package.json, requirements.txt and Cargo.toml files for any of the 34 packages listed. Remove any detected packages and all related artifacts.
2. Rotate secrets: if a malicious package was installed, immediately revoke and reissue all AWS and GitHub tokens, SSH keys and cryptocurrency wallet mnemonic phrases that were accessible from the compromised system.
3. Check persistence mechanisms: inspect cron jobs (crontab -l), systemd services, Git hooks in repositories (.git/hooks/), as well as .cursorrules and CLAUDE.md files in project roots.
4. Block the domain: add ddjidd564.github[.]io to blocklists at the DNS and proxy level.
5. Review pull requests: when maintaining open-source projects, check incoming PRs for .cursorrules and CLAUDE.md files with suspicious instructions.
6. Use dependency analysis tools: add package checks to your CI/CD pipeline using specialized scanners capable of detecting suspicious postinstall hooks, build.rs scripts, and auto-execution on import.

The TrapDoor campaign demonstrates the convergence of two trends: classic package typosquatting and the exploitation of new vectors through AI development assistants. The top priority is to audit dependencies against the provided package list, followed by rotating all secrets on affected systems. Teams using AI coding tools (Cursor, Claude) should additionally check their repositories for unauthorized configuration files that could steer the behavior of AI assistants.