🚨 Active supply chain attack spanning npm, PyPI, and
Crates.io simultaneously.
Socket is tracking a campaign we’re calling TrapDoor: 34 malicious packages and 384 versions designed to steal crypto wallets, SSH keys, AWS credentials, GitHub tokens, browser data, and environment variables from developers.
We had a median detection time of 5 minutes and 27 seconds. Fastest detection was 58 seconds after publication.
The packages target crypto, DeFi, Solana, Sui/Move, and AI developers. Names like crypto-credential-scanner, solidity-deploy-guard, sui-move-build-helper, and prompt-engineering-toolkit are crafted to look like legitimate dev tools.
Each ecosystem uses a different execution path:
• npm: postinstall hooks run trap-core.js, a 1,149-line credential harvester that validates stolen AWS/GitHub tokens via API calls and attempts SSH-based lateral movement
• PyPI: packages auto-execute on import, download JavaScript from an attacker-controlled GitHub Pages domain, and run it via node -e
•
Crates.io: malicious
build.rs scripts search for wallet keystores, XOR-encrypt them, and exfiltrate to GitHub Gists
What makes this campaign especially notable: the npm payload plants persistence through .cursorrules and CLAUDE.md files using zero-width Unicode characters, attempting to trick AI coding assistants into running “security scans” that exfiltrate secrets. The attacker also opened PRs against major AI projects (LangChain, LlamaIndex, MetaGPT, OpenHands, browser-use) trying to inject these files into codebases directly.
If you work in crypto, DeFi, or AI tooling: audit your lockfiles, check for any of the listed packages, and review your project for unexpected .cursorrules or CLAUDE.md files.
Full list of IOCs and affected packages:
socket.dev/blog/trapdoor-cry…