Skip to content
.ca
sign in
7 mincritical

TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io

The TrapDoor campaign is a sophisticated supply chain attack targeting crypto, DeFi, and AI developers across npm, PyPI, and Crates.io. The threat actor deployed over 34 malicious packages that utilize ecosystem-specific execution methods to steal credentials, wallets, and SSH keys, while uniquely leveraging AI configuration files like .cursorrules to trick AI assistants into executing exfiltration workflows.

Sens:ImmediateConf:highAnalyzed:2026-05-24Google

Authors: Socket Research Team

ActorsTrapDoor
TrapDoorSupply ChainCrypto StealerAI Injection

Source:Socket

IOCs · 8
  • domain
    ddjidd564[.]github[.]ioAttacker-controlled domain used for payload delivery and remote JavaScript execution.
  • filename
    trap-core.jsShared 1,149-line credential harvester and propagation payload deployed by malicious npm packages.
  • npm_package
    defi-env-auditorMalicious npm package promoted in Gemini CLI GitHub discussions by the threat actor.
  • npm_package
    dev-env-bootstrapperMalicious npm package functioning as both malware and a delivery vector for spreading malicious configuration.
  • npm_package
    env-security-scannerMalicious npm package promoted via GitHub PRs as an AI agent auditing tool to steal credentials.
  • npm_package
    wallet-security-checkerMalicious npm package promoted in Gemini CLI GitHub discussions by the threat actor.
  • pypi_package
    eth-security-auditorEarliest observed malicious PyPI package in the TrapDoor campaign.
  • url
    hxxps://ddjidd564[.]github[.]io/defi-security-best-practices/Attacker-controlled GitHub Pages URL hosting payloads and configuration for the TrapDoor campaign.

Detection / HunterGoogle

What Happened

Security researchers discovered a coordinated attack called TrapDoor that targets software developers working in cryptocurrency and artificial intelligence. The attackers uploaded dozens of fake, malicious software packages to popular code repositories (npm, PyPI, and Crates.io). If a developer accidentally installs one of these packages, the malware steals sensitive information like passwords, digital wallets, and access keys. This is particularly dangerous because it can also trick AI coding assistants into helping steal the data and can spread to other computers. Developers should carefully verify the software packages they use and check their project configuration files for unauthorized changes.

Key Takeaways

  • TrapDoor is a cross-ecosystem supply chain attack spanning npm, PyPI, and Crates.io, targeting crypto, DeFi, and AI developers.
  • The campaign uses ecosystem-specific execution paths, such as npm postinstall hooks, PyPI import-time execution, and Rust build.rs scripts.
  • The malware establishes persistence via systemd, cron, Git hooks, and attempts lateral movement using stolen SSH keys.
  • Attackers are experimenting with AI injection by planting hidden zero-width Unicode instructions in .cursorrules and CLAUDE.md files to trick AI assistants into exfiltrating data.
  • The threat actor actively promoted malicious packages via GitHub pull requests and community discussions in popular AI projects.

Affected Systems

  • Developer workstations (Windows, macOS, Linux)
  • Node.js, Python, and Rust development environments
  • AI coding assistants (Cursor, Claude)
  • CI/CD pipelines

Attack Chain

The attacker publishes malicious packages to npm, PyPI, and Crates.io disguised as developer tools. Upon installation, ecosystem-specific mechanisms (e.g., npm postinstall hooks, PyPI import execution, Rust build.rs) trigger the execution of payloads like trap-core.js. The malware scans for and exfiltrates sensitive data such as SSH keys, cloud credentials, and crypto wallets, utilizing XOR or ECDH encryption. Finally, the malware establishes persistence via systemd, cron, and Git hooks, and attempts lateral movement using stolen SSH keys, while also injecting hidden instructions into AI configuration files (.cursorrules, CLAUDE.md) to trick AI assistants into further data exfiltration.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules, but notes that the packages were detected through behavioral and cross-registry analysis.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can monitor process executions (e.g., node -e), file modifications (e.g., changes to .cursorrules, CLAUDE.md), and persistence mechanisms (cron, systemd). Network Visibility: Medium — Network monitoring can detect outbound connections to GitHub Pages or Gists for payload retrieval and exfiltration, though the traffic will be HTTPS encrypted. Detection Difficulty: Moderate — While the persistence mechanisms and process executions are standard, the initial vector blends in with legitimate developer activity (package installation), and AI injection techniques are novel and may evade standard monitoring.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon Event ID 1)
  • File Creation/Modification (Sysmon Event ID 11)
  • Network Connections (Sysmon Event ID 3)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for unexpected modifications to .cursorrules or CLAUDE.md files, especially those introducing zero-width Unicode characters or unexpected security scan directives.File Integrity Monitoring / EDR File EventsPersistence / Defense EvasionLow
Consider hunting for Python processes spawning Node.js with the '-e' flag to execute inline JavaScript, which is highly anomalous for standard Python applications.Process Execution (Sysmon Event ID 1)ExecutionLow
Consider hunting for Rust build processes (build.rs) initiating outbound network connections to GitHub Gists or raw GitHub user content.Network Connections / Process ExecutionExfiltrationMedium

Control Gaps

  • Lack of integrity monitoring on AI assistant configuration files (.cursorrules, CLAUDE.md)
  • Permissive egress network filtering allowing developer tools to communicate with arbitrary GitHub Pages/Gists

Key Behavioral Indicators

  • Python processes spawning 'node -e'
  • Unexpected creation of systemd services or cron jobs by package managers (npm, pip, cargo)
  • Modifications to .cursorrules containing hidden Unicode characters

False Positive Assessment

  • Low. The identified packages and infrastructure are explicitly malicious and part of a coordinated supply chain attack. However, hunting for generic package manager activity or GitHub connections may yield false positives.

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Consider auditing developer environments for the presence of the identified malicious packages (e.g., dev-env-bootstrapper, eth-security-auditor, env-security-scanner).
  • If compromised packages are found, consider rotating all potentially exposed credentials, including SSH keys, AWS tokens, GitHub tokens, and crypto wallets.

Infrastructure Hardening

  • Evaluate whether egress network filtering can be applied to developer workstations to restrict outbound connections to unapproved external hosting services.
  • Consider implementing strict dependency pinning and using private package registries with vulnerability scanning capabilities.

User Protection

  • If supported by your tooling, consider implementing file integrity monitoring on critical developer configuration files like .cursorrules and CLAUDE.md.
  • Evaluate whether SSH keys can be protected with passphrases or hardware-backed keystores to prevent easy reuse if stolen.

Security Awareness

  • Consider training developers on the risks of typosquatting and the importance of verifying package names and authors before installation.
  • Evaluate whether awareness programs should include the emerging risk of AI assistant manipulation via poisoned project configuration files.
  • Consider advising developers to scrutinize pull requests that add generic security scanners or modify AI configuration files.

MITRE ATT&CK Mapping

  • T1195.001 - Supply Chain Compromise: Software Dependencies and Development Tools
  • T1059.007 - Command and Scripting Interpreter: JavaScript
  • T1059.006 - Command and Scripting Interpreter: Python
  • T1552.004 - Unsecured Credentials: Private Keys
  • T1552.003 - Unsecured Credentials: Bash History
  • T1053.003 - Scheduled Task/Job: Cron
  • T1543.002 - Create or Modify System Process: Systemd Service
  • T1021.004 - Remote Services: SSH
  • T1562.001 - Impair Defenses: Disable or Modify Tools

Additional IOCs

  • File Paths:
    • .cursorrules - Project-specific AI instruction file targeted for hidden Unicode injection to trick AI assistants.
    • CLAUDE.md - Project-specific AI instruction file targeted for hidden Unicode injection to trick AI assistants.
  • Command Lines:
    • Purpose: Executes remote JavaScript payload downloaded from attacker infrastructure | Tools: node, python | Stage: Execution | node -e
    • Purpose: Installs malicious environment security scanner promoted in attacker PRs | Tools: npm | Stage: Installation | npm install -g env-security-scanner@latest
    • Purpose: Executes malicious environment security scanner promoted in attacker PRs | Tools: npx | Stage: Execution | npx env-security-scanner audit_environment
  • Other:
    • cargo-build-helper-2026 - Hardcoded XOR key used in malicious Crates.io packages to encrypt exfiltrated keystore data.
    • P-2024-001 - Campaign marker used across related components and attacker-submitted pull requests.
    • ddjidd564 - GitHub account used by the attacker to host payloads, configuration, and submit malicious PRs.
    • asdxzxc - npm account used by the attacker to publish malicious packages.
    • asdmini67 - PyPI account used by the attacker to publish malicious packages.
    • dae5411 - PyPI account used by the attacker to publish malicious packages.

Related