A new coordinated supply chain attack campaign has targeted three major package registries simultaneously, and the attackers are stealing developer credentials, crypto wallets, and cloud tokens.
The TrapDoor cross-ecosystem supply chain attack spans more than 34 malicious packages across over 384 versions, and the campaign targets npm, PyPI, and Crates.io (the Rust package registry).
The TrapDoor cross-ecosystem supply chain attack was detected by security firm Sockit with the earliest activity being recorded on May 22, 2026 at 8:20pm UTC. New packages have been published by a group of accounts in waves since that time.
Target Audience
TrapDoor cross-ecosystem supply chain attack is targeting developers in the Cryptocurrency, DeFi (decentralized finance), Solana and AI communities by providing them packages that look as if they would be relevant to their line of work (i.e., crypto-credential-scanner, defi-env-auditor, eth-wallet-sentinel, wallet-security-checker, solidity-deploy-guard).
Developers looking for security or dev tools could mistake these malicious packages as real tools, therefore manipulating trust in regard to the TrapDoor cross-ecosystem supply chain attack.
The Malicious Packages
The TrapDoor cross-ecosystem supply chain attack includes packages across all three ecosystems:
Crates.io (Rust) packages:
move-analyzer-build
move-compiler-tools
move-project-builder
sui-framework-helpers
sui-move-build-helper
sui-sdk-build-utils
npm packages:
async-pipeline-builder
crypto-credential-scanner
defi-env-auditor
eth-wallet-sentinel
mnemonic-safety-check
wallet-security-checker
(and 13 more packages)
PyPI packages:
cryptowallet-safety
defi-risk-scanner
env-loader-cli
eth-security-auditor
git-config-sync
solidity-build-guard
The TrapDoor cross-ecosystem supply chain attack uses ecosystem-specific execution paths including postinstall hooks in npm, build scripts in Rust, and import-time execution in Python.
The trap-core.js Payload
Several npm packages in the TrapDoor cross-ecosystem supply chain attack deploy a shared payload called trap-core.js.
This JavaScript payload scans for credentials and developer secrets, and it validates stolen credentials using AWS and GitHub API calls, and it attempts SSH-based lateral movement to spread across networks.
The TrapDoor cross-ecosystem supply chain attack also creates persistence on compromised hosts using cron jobs, systemd services, Git hooks, shell hooks, and SSH configuration modifications.
The Rust Build.rs Technique
Rust crates in the TrapDoor cross-ecosystem supply chain attack use a build.rs script to trigger malicious code execution.
The Rust build script runs automatically when the package is compiled, and the TrapDoor cross-ecosystem supply chain attack uses this to search for local keystores and wallet files.
Stolen data is encrypted using a hardcoded XOR key, and it is exfiltrated to GitHub Gists which are legitimate code snippet hosting service, and this makes the exfiltration traffic blend in with normal development activity.
The Python Remote Payload
Python packages in the TrapDoor cross-ecosystem supply chain attack are designed to auto-execute on import, and the moment a developer imports the package their system becomes compromised.
The Python packages download JavaScript from an attacker-controlled GitHub Pages domain at ddjidd564.github[.]io, and they execute it using node -e.
This technique allows the TrapDoor cross-ecosystem supply chain attack to delegate execution to a remote JavaScript payload, and the attacker can update the malicious behavior without publishing a new PyPI release.
AI Assistant Poisoning
One of the most unusual aspects of the TrapDoor cross-ecosystem supply chain attack is the implantation of .cursorrules and CLAUDE.md files containing hidden instructions.
These files trick AI assistants like Cursor and Claude into running a "security scan" that results in secret discovery and exfiltration, and the attacker achieves this by opening GitHub pull requests (PRs) across popular AI and developer projects.
The TrapDoor cross-ecosystem supply chain attack targeted projects including browser-use/browser-use, langchain-ai/langchain, and langflow-ai/langflow.
Socket said the threat actor is likely testing whether AI-related project files can be introduced through regular open-source contribution workflows, and this would cause AI coding tools to parse those hidden instructions and apply them automatically.
What Gets Stolen
The TrapDoor cross-ecosystem supply chain attack steals a comprehensive range of developer secrets:
1. Crypto wallets including wallet files, seed phrases, and keystores are harvested, and the TrapDoor cross-ecosystem supply chain attack specifically targets Solana and Sui developers.
2. SSH keys are stolen, and these can be used to access other systems where the developer has accounts.
3. Cloud credentials for AWS and GitHub are validated using API calls, and valid tokens are exfiltrated.
4. On Developer Browsers, Browser Data Of All Types Is Stolen (mainly from Chrome, Firefox) Including The Cookies And Saved Passwords.
5. Environment Variables Will Contain API Keys, Database Passwords, And Other Credentials.
6. AI tooling configurations for Cursor and Claude are harvested to poison future interactions.
Lateral Movement and Persistence
The TrapDoor cross-ecosystem supply chain attack has the ability to traverse multiple networks.
The recent addition of SSH-based lateral movement enables malware to move from a compromised developer machine onto any other device with which the malware shares SSH keys, effectively transforming an incident involving a compromised developer into a complete network compromise.
Persistence mechanisms are provided through cron jobs that execute malware on schedule, systemd services that are executed at boot time, Git hooks that are executed upon commit, shell hooks that are executed with every shell launch, and modifications to SSH configurations.
The TrapDoor cross-ecosystem supply chain attack has been built to have extensive persistence and resilience to removal, as it is common for malware to be removed by either rebooting the host or through the use of malware-removal tools.
Naming Strategy
The TrapDoor cross-ecosystem supply chain attack has used naming schemes for its packages that are consistent with common practices. Examples include crypto-credential-scanner and wallet-security-checker for what could be termed "security tools" and defi-env-auditor and solidity-build-guard for what could be termed "development utilities."
The TrapDoor cross-ecosystem supply chain attack also uses typosquatting, and developers searching for legitimate packages might accidentally install the malicious version.
No Connection to Android Ad Fraud
Socket noted that the TrapDoor cross-ecosystem supply chain attack has no connection to another campaign of the same name.
HUMAN's Satori Threat Intelligence team detailed a separate TrapDoor campaign last week that engaged in ad fraud by distributing 455 Android apps through the Google Play Store, and the two campaigns are unrelated.
The shared name appears to be coincidental.
How to Protect Yourself
The TrapDoor cross-ecosystem supply chain attack is active, here is what you need to do:
1. Look For Malicious Packages - Look at the packages installed by checking your package.json and the Cargo.toml and requirements.txt files. If you find any of those packages listed above, delete them immediately.
2. Change Your Credentials: If any of the malicious packages listed in this article match yours, then you must treat your credentials as compromised. Recovering from this will require you to rotate your SSH key, cloud token and any cryptocurrency wallet credentials.
3. Check for the Existence of Cursorrules and CLAUDE.md In Your Repo - You should also search your Git repositories for files called ".cursorrules" and/or "CLAUDE.md". Attackers are putting these types of files into your Git repositories as part of a TrapDoor cross-ecosystem supply chain attack ; check for their recent addition to your repositories.
4. Examine the Pull Requests on Github that are Still Open or Merged (either partially completed or completed but pending review) - There may be many successful attackers that executed a Pull Request against a large number of popular Github repositories, including yours. Therefore, you should carefully check your repository for any suspicious open or merged Pull Requests with artificial intelligence related attributes that have been added to your repository by an attacker.
5. Check for Unforeseen Persistent Mechanism Files - Check for Unforeseen Scheduled Task (Cron) Files and Service (Systemd) Files Ensure that Unforeseen Changes have Occurred on your SSH Configuration.
6. Understand Outbound Connections - The TrapDoor cross-ecosystem supply chain attack is designed to exfiltrate data to GitHub Gists or GitHub Pages. If you see connections to these services from elsewhere, these should be investigated.
Final Thoughts
The TrapDoor cross-ecosystem supply chain attack represents a new level of sophistication in package registry abuse.
The attack spans three ecosystems simultaneously, and it targets developers in crypto, DeFi, Solana, and AI communities, and it uses ecosystem-specific execution paths.
The TrapDoor cross-ecosystem supply chain attack also attempts to poison AI assistants through .cursorrules and CLAUDE.md files, and this is a novel attack vector that could have widespread implications.
If you develop software in Rust, Node.js, or Python, check your dependencies today, remove any malicious packages, rotate your credentials, and review your projects for AI poisoning attempts.
The TrapDoor cross-ecosystem supply chain attack shows that supply chain security is not just about npm or just about PyPI, it is about all of them at once.
FAQ Section
What kind of ecosystems do the TrapDoor cross-ecosystem supply chain attack affect (i.e., what are the ecosystems that exist)?
The TrapDoor cross-ecosystem supply chain attack affects the npm (JavaScript), PyPi (Python), and Crates.io (Rust) ecosystems and includes at least 34 malicious packages, consisting of over 384 versions.
What types of developers are being targeted by this supply chain attack?
The TrapDoor cross-ecosystem supply chain attack targets developers from cryptocurrency, decentralized finance (DeFi), Solana Blockchain and artificial Intelligence ecosystems.
What is the purpose of the trap-core.js payload?
The trap-core.js payload scans for developers’ credentials and secrets, validates the stolen credentials using AWS and GitHub API calls, attempts lateral movement through SSH (and through other means), and maintains persistence via cron jobs, systemd services, Git hooks, and SSH configuration.
Can you explain how the TrapDoor Rust implementation carries out a cross-ecosystem supply chain attack?
The TrapDoor cross-ecosystem supply chain attack leverages Rust packages which have a build.rs script that runs automatically during the compilation of the package and searches for local keystores, encrypts the data found using a hard-coded XOR key, and exfiltrates it to GitHub Gists.
Can you explain the AI assistant poisoning method of the TrapDoor cross-ecosystem software supply chain attack?
The TrapDoor cross-ecosystem software supply chain attack creates hidden instructions, or .cursorrules and CLAUDE.md, to inject instructions into AI programming assistants and trick them into executing a “security scan” which will result in secret data discovery and exfiltration.
