TrapDoor malware campaign targets crypto and AI developers through npm, PyPI, and Crates.io, stealing wallets, SSH keys, & cloud credentials.
Author: Akshat Thakur
24th May 2026 – Socket Security has identified an active crypto stealer campaign called TrapDoor spanning 36 malicious packages across npm, PyPI, and Crates.io. The campaign targets crypto, DeFi, and AI developers with malware that exfiltrates wallet keys, cloud credentials, and API tokens.
High Signal Summary For A Quick Glance
Sancho
@sanchogodinho
@SocketSecurity What the heck. Why so many supply chain attacks these days!?
🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.io. Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems. TrapDoor targets https://t.co/0CI758NJ6T
05:16 PM·May 24, 2026
bbsz
@blackbigswan
@SocketSecurity lol, this is 100% both fully vibe coded and vibe researched with LLM. so funny in the context of Claude throwing refusals out of the blue on what is often a low brow RE related task. https://t.co/JWumvjYkYR
🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.io. Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems. TrapDoor targets https://t.co/0CI758NJ6T
04:47 PM·May 24, 2026
Ibrahim Tanyalcin
@ibrhmTanyalcin
@SocketSecurity if the fastest detection occurred 58s after installing why don't repositories/ppms run newly pushed repo's in a VM and watch behavior?? why is that hard? what am I missing. I am genuinely asking not trying to be sarcastic.
🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.io. Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems. TrapDoor targets https://t.co/0CI758NJ6T
04:11 PM·May 24, 2026
Steady attention without excessive speculation.
Socket’s Threat Research team disclosed the findings on May 24, 2026. The team detected 384+ malicious versions and artifacts across all three registries.
Socket reported a median detection time of 5 minutes and 27 seconds. The fastest detection took just 58 seconds from package publication to malware flag. The earliest package appeared on May 22, and the attacker then published new releases rapidly over the following 48 hours.
TrapDoor uses ecosystem-specific hooks to trigger its payload. On npm, 22 packages run postinstall scripts that execute a 1,149-line JavaScript file called trap-core.js. PyPI, seven packages auto-execute malicious code on import and then fetch remote JavaScript payloads. On Crates.io, six packages run malicious build.rs scripts during Rust compilation.
All variants target the same data: Sui, Solana, and Aptos wallets, SSH keys, AWS credentials, GitHub tokens, browser data, and environment variables. The malware encrypts stolen data using Fernet, ECDH, or XOR before sending it to attacker-controlled infrastructure.
According to Socket’s research report, the connection between the three campaigns “became clear during the Crates.io wave, when Rust packages targeting Sui and Move developers showed infrastructure and behavioral overlap with related npm and PyPI packages.”
Timeline of the TrapDoor supply-chain malware campaign across PyPI, npm, and Crates.io (May 2026)
The package eth-security-auditor@0.1.0 appears on PyPI, marking the earliest known public activity tied to the TrapDoor campaign.
Attack infrastructure expands almost immediately as malicious build artifacts begin appearing alongside the original package.
Attackers repeatedly publish packages across npm, PyPI, and Crates.io. npm sees the largest volume, while Rust crates and Python packages display overlapping infrastructure and behavior.
Campaign indicators suggest targeting beyond Ethereum tooling, including Sui and Move-language developers through Rust build scripts and dependency chains.
Researchers disclose the campaign through social posts and technical analysis, reporting extremely fast detection times across hundreds of malicious package versions.
npm, PyPI, and Crates.io begin reviewing and removing reported packages. Some malicious artifacts disappear quickly while others remain active temporarily.
Researchers continue tracking associated GitHub profiles, pull requests, and new package uploads as the campaign evolves.
The operation remains under active observation. Additional malicious versions, infrastructure reuse, and new publication attempts remain possible.
Beyond data theft, TrapDoor installs multiple persistence mechanisms. These include Git hooks, shell hooks, cron jobs, systemd services, and SSH propagation to other machines the developer can access.
One novel technique plants hidden zero-width Unicode instructions inside .cursorrules and CLAUDE.md files. These files configure AI coding assistants. Once compromised, the AI assistant could unknowingly propagate malicious code into future projects.
This approach exploits the growing adoption of AI-assisted development tools. Developers who rely on AI assistants could spread the infection through generated code without realizing their environment carries hidden instructions.
The malicious packages use realistic names designed to attract crypto and security developers. Examples include token-usage-tracker, eth-security-auditor, sui-move-build-helper, defi-threat-scanner, and wallet-security-checker.
Socket traced the attacker infrastructure to a GitHub account named ddjidd564. The Rust crates exfiltrate data to GitHub Gists, while other variants use attacker-controlled GitHub Pages infrastructure. The attacker also submitted pull requests to legitimate AI repositories including langchain-ai and llama_index.
Registries have begun removing flagged packages. The npm listing for token-usage-tracker now shows a Socket malware flag. Other packages remain live at the time of disclosure.
No one has publicly confirmed stolen funds or compromised production projects from this TrapDoor supply chain attack. Socket’s rapid detection and the use of obscure package names suggest minimal successful installations before Socket flagged the malware.
The attacker’s identity remains unknown. Additional undetected packages could still exist across these registries or beyond them. No CVEs or formal GitHub advisories exist yet because Socket disclosed the TrapDoor supply chain attack only hours before this report.
This is not financial advice. Developers should audit their dependencies and check for any of the flagged packages in their projects.
The TrapDoor supply chain attack follows a pattern of escalating threats against developers. In 2018, an attacker compromised the popular event-stream npm package to steal Bitcoin wallet data. In 2023, the Ledger Connect Kit compromise affected DeFi protocol frontends serving millions of users.
What sets TrapDoor apart is its coordinated cross-registry approach. Previous attacks typically targeted a single ecosystem at a time. TrapDoor simultaneously hit npm, PyPI, and Crates.io while also adding AI-assistant persistence, a combination not seen before at this scale.
On X and developer forums, the response to the TrapDoor supply chain attack mixes alarm with fatigue. Many crypto developers treat supply chain incidents as routine, with one community member posting “Days since last incident: 0.” Others praised Socket’s detection speed and called for stricter registry policies.
The crypto developer community recommends several practical mitigations. Setting min-release-age=7 in package managers prevents installation of packages less than a week old. Running dependency audits with Socket, Snyk, or npm audit can flag known malicious packages.
Developers should also inspect their .cursorrules and CLAUDE.md files for hidden Unicode characters. Sandboxing new package installations in virtual machines adds another layer of protection against install-time payloads.
Socket continues to monitor for additional TrapDoor variants across all three registries. The initial disclosure on X noted that some packages remain live, and registry teams are still processing takedown requests.
For now, the fastest defense is awareness. Check your dependencies, verify package publishers, and treat unfamiliar security-themed packages with skepticism. The attacker account ddjidd564 and its associated infrastructure remain active at the time of writing. Any developer who installed packages from this account should rotate all credentials immediately.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
TrapDoor Crypto Stealer Hits npm, PyPI, and Crates.io
StablR Exploit Drains $2.8M After Multisig Key Compromise
Bags Hackathon Winner GSD Cloud Rugs for $500K
Polymarket Adapter Drained of $660K via Old Key Compromise
TrapDoor Crypto Stealer Hits npm, PyPI, and Crates.io
StablR Exploit Drains $2.8M After Multisig Key Compromise
Bags Hackathon Winner GSD Cloud Rugs for $500K
Polymarket Adapter Drained of $660K via Old Key Compromise
