TrapDoor: 34 Malicious Packages Stole Crypto Wallet Keys and SSH Credentials Across npm, PyPI, and Crates.io
May 25, 2026
AntV npm Packages Compromised via Hijacked Maintainer Account
May 19, 2026
CVE-2026-42945: NGINX Rewrite Module Heap Overflow Enables Unauthenticated Code Execution
May 13, 2026
TanStack and Mistral npm Packages Compromised in Mini Shai-Hulud Supply Chain Attack
May 11, 2026
Microsoft Patches Critical ASP.NET Core DataProtection Flaw That Breaks Cryptographic Signatures
April 23, 2026
Vercel got breached. Here is what that means for everyone downstream.
April 19, 2026
When the System Built to Warn Us Can No Longer Keep Pace
April 15, 2026
Your AI Agent Remembers Your Secrets
April 13, 2026
Your Home Directory is a Secret Goldmine for Attackers
April 6, 2026
When a core npm dependency becomes the attack path: lessons from the Axios compromise
March 31, 2026
When the AI dependency becomes the attack path: lessons from the LiteLLM PyPI compromise
March 24, 2026
When the security scanner becomes the attack path: lessons from the Trivy compromise
March 23, 2026
Critical Path Traversal Vulnerability in jsPDF Library (CVE-2025-68428)
January 6, 2026
MongoBleed: Unauthenticated Memory Disclosure in MongoDB (CVE-2025-14847)
December 27, 2025
Critical Remote Code Execution in n8n Workflow Automation: CVE-2025-68613
December 19, 2025
The Return of Shai-Hulud: npm's Worm Strikes Back
November 24, 2025
Critical Chrome Zero-Day Exploited: Google Rushes Emergency Patch for CVE-2025-0411
October 28, 2025
Critical Remote Code Execution Vulnerability in React Server Components
December 3, 2025
Supply Chain SecurityMay 25, 20267 min read

TrapDoor: 34 Malicious Packages Stole Crypto Wallet Keys and SSH Credentials Across npm, PyPI, and Crates.io

TrapDoor planted 34 malicious packages across npm, PyPI, and Crates.io in May 2026, stealing cryptocurrency wallet keystores, SSH keys, and cloud tokens from blockchain and AI developers.

Beginning May 22, 2026, a set of 34 malicious packages began appearing across npm, PyPI, and Crates.io with a shared goal: reach developer machines in the cryptocurrency, DeFi, and AI ecosystems, collect credentials, and send them out quietly. Socket researchers, who named the campaign TrapDoor, caught the first package at 20:20:18 UTC on May 22. By the time the wave finished, more than 384 versions and artifacts had been published across all three registries. Average time from publication to detection was five minutes and 56 seconds. The fastest catch was 58 seconds.

The package names gave the campaign its cover. Names like mnemonic-safety-check, solidity-deploy-guard, and eth-security-auditor read exactly like utilities a blockchain or AI developer would pull without a second thought. Developers in these spaces routinely install small helper packages; the attacker built around that behavior.

How the attack works

Each registry got a different execution trigger, which made the campaign harder to catch with any single scanning approach. On npm, 21 packages fired a postinstall hook at install time. The hook loaded a shared payload called trap-core.js: 1,149 lines, 48,485 bytes. Before exfiltrating anything, the payload made live calls to AWS and GitHub API endpoints to test each stolen credential. Only the ones that responded as valid were packaged for transmission. Encryption used Fernet symmetric encryption layered with ECDH key exchange.

The seven PyPI packages used a simpler path: code ran on module import. A plain import statement was enough to trigger a download from an attacker-controlled GitHub Pages domain. The downloaded file ran locally via node -e. In practice, the Python packages acted as launchers for the same JavaScript infrastructure used on npm.

On Crates.io, the six packages used build.rs scripts. In Rust projects, build.rs compiles and runs before the rest of your project builds. The malicious scripts scanned for local cryptocurrency keystores, XOR-encrypted them with the hardcoded key cargo-build-helper-2026, and pushed the encrypted output to GitHub Gists.

Beyond the initial theft, TrapDoor wrote for persistence. A recovered GitHub token with repository access triggered a second stage: the malware dropped .cursorrules and CLAUDE.md files to redirect AI coding assistants, installed git and shell hooks, created systemd services and cron jobs, and attempted to move laterally using stolen SSH keys. Separately, the attacker submitted pull requests to LangChain, Langflow, LLaMA Index, MetaGPT, OpenHands, and browser-use, each injecting a .cursorrules file carrying hidden Unicode characters and links to attacker-controlled infrastructure.

What was affected

All 34 packages across the three registries were reported to the respective registries after detection. The full list:

  • npm (21 packages): async-pipeline-builder, build-scripts-utils, chain-key-validator, crypto-credential-scanner, defi-env-auditor, defi-threat-scanner, deployment-key-auditor, dev-env-bootstrapper, eth-wallet-sentinel, llm-context-compressor, mnemonic-safety-check, model-switch-router, node-setup-helpers, project-init-tools, prompt-engineering-toolkit, solidity-deploy-guard, token-usage-tracker, wallet-backup-verifier, wallet-security-checker, web3-secrets-detector, workspace-config-loader
  • PyPI (7 packages): cryptowallet-safety, data-pipeline-check, defi-risk-scanner, env-loader-cli, eth-security-auditor, git-config-sync, solidity-build-guard
  • Crates.io (6 packages): move-analyzer-build, move-compiler-tools, move-project-builder, sui-framework-helpers, sui-move-build-helper, sui-sdk-build-utils

Why this campaign stands out

Running a coordinated campaign across three registries at once is not common. Most supply chain attacks settle on one ecosystem. TrapDoor adapted its execution method to each: a postinstall hook for Node.js, an import side effect for Python, a build script for Rust. The PyPI packages routed through the same JavaScript payload infrastructure used on npm, suggesting the attacker built a single backend and wrote registry-specific launchers on top of it.

The attacker also published a GitHub repository describing the entire operation as a “Universal AI Agent Extraction Framework,” complete with sections on data exfiltration, prompt injection, AI-agent abuse, and persistence. The internal campaign marker P-2024-001 shows up across multiple components. Accounts tied to the campaign are GitHub user ddjidd564, npm user asdxzxc, and PyPI users asdmini67 and dae5411.

What teams should do

Any install run that pulled one of these packages should be treated as a potential compromise. Start with credentials that would have been accessible during that session.

  • Cross-check your lock files. Search installed package names against the full TrapDoor list across npm, PyPI, and Crates.io. Lock files preserve exact install history even if packages have since been removed.
  • Rotate credentials that were accessible. SSH keys, AWS and cloud tokens, GitHub tokens, npm publish tokens, and any cryptocurrency wallet credentials on the affected machine should all be cycled.
  • Look for persistence footprints. Check ~/.gitconfig and .git/hooks/ for entries you did not add, review shell startup files for unfamiliar lines, and search your home directory and project roots for unexpected .cursorrules or CLAUDE.md files.
  • Inspect AI assistant configs for injected content. Hidden Unicode characters in configuration files are a signal. If a config file you did not create is present, treat it as suspect.
  • Review GitHub Actions workflows and recent activity. If a token with repository write access was on the machine, check recent workflow runs, commit history, and any new branches or pull requests for changes you did not make.

The gap TrapDoor exploits is structural: most dependency scanning tools are built around a single registry. A team running npm audit has no view into what a build.rs script does when a Rust dependency compiles. A Python project running pip-audit does not inspect postinstall hooks that fire in a Node.js context on the same machine. The attack surface spans whichever registries touch your build environment, and monitoring needs to cover all of them.