TrapDoor Campaign Targets Crypto and AI Developers via 34+ Malicious Packages

TrapDoor represents more than a series of malicious packages; it is a systematic assault on the crypto and AI developer workflow. The campaign has distributed over 34 malicious packages and 384 versions across npm, PyPI, and Crates.io, transforming the development environment into a continuous attack surface. From registries to AI coding assistants, every stage of the pipeline has been turned into a vector for credential and wallet exfiltration.

"Several npm packages also deploy a shared payload, trap-core.js, that scans for credentials, validates AWS and GitHub tokens, attempts SSH-based lateral movement, and plants persistence through .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH." — Socket, via The Hacker News

How TrapDoor Targets Three Ecosystems with Diverse Tactics

The campaign demonstrates a deep understanding of the internal mechanics of major package registries. On npm, the trap-core.js payload—comprising 1,149 lines of JavaScript—is triggered during installation via the postinstall hook.

The code scans the filesystem for SSH keys, environment variables, cloud credentials, service tokens, and crypto wallets, including Coinbase, Binance, MetaMask, Solana, Sui, and Aptos. It validates AWS and GitHub tokens through live API calls and establishes multiple forms of persistence: cron jobs, systemd services, SSH authorized keys, Git hooks, and shell hooks.

This payload is shared across various npm packages, centralizing malware maintenance for the entire vector.

The strategy shifts on PyPI. Malicious packages do not contain the full payload initially; instead, upon import, they download remote JavaScript from ddjidd564.github[.]io and execute it using node -e. This delegation makes the attack highly agile, allowing the operator to update the payload without publishing new versions on PyPI, thereby evading registry checks and maintaining a resilient remote presence.

Rust and Crates.io represent the third vector. Here, the malware exploits build.rs, the build script automatically executed during compilation. It searches for local keystores, encrypts data using a hardcoded XOR key, and exfiltrates the result to GitHub Gists—all before the actual Rust code is even compiled. The attack leverages the compiled nature of Rust to hide malicious activity in a phase that many developers do not regularly inspect.

AI Assistant Weaponization via Hidden Configuration Files

What distinguishes TrapDoor from previous campaigns is its systematic attempt to manipulate AI tools increasingly adopted by developers. The GitHub account ddjidd564, linked to the campaign, opened pull requests on high-profile repositories including langchain-ai/langchain, browser-use/browser-use, run-llama/llama_index, FoundationAgents/MetaGPT, and OpenHands/OpenHands. PR titles were designed to appear benign, often referencing security or environment configuration.

The injected files—.cursorrules for Cursor and CLAUDE.md for Claude—contained instructions hidden using zero-width Unicode. These instructions prompted AI assistants to perform "security scans" which, in reality, exfiltrated project secrets. This technique exploits the implicit trust developers place in project configuration files, which are rarely subjected to rigorous code review.

The actual large-scale effectiveness of this manipulation remains unverified. While sources describe it as a potentially experimental technique, its inclusion in an operational campaign signals an intent to normalize AI-assisted prompt injection as a standard attack vector.

Detection Metrics and Trust-Building Tactics

Socket detected TrapDoor releases with a median time of 5 minutes and 27 seconds across 381 package-version records, with the fastest detection occurring just 58 seconds after publication. While these numbers are internal to the vendor, they suggest the campaign generated sufficiently anomalous signals for rapid identification—likely due to its aggressive nature.

Package names reveal precise targeting: wallet-security-checker, defi-env-auditor, sui-move-build-helper, and prompt-engineering-toolkit. These are not classic typosquatting attempts, but plausible names that exploit the genuine needs of developers in the crypto, DeFi, and AI sectors. The ddjidd564 account maintained lure repositories like env-security-scanner and published issues and discussions regarding fictitious security concerns to build credibility prior to the attack.

Socket confirmed that TrapDoor has no link to the Android ad fraud campaign of the same name described by HUMAN/Satori; the shared naming is coincidental, with no technical or infrastructural overlap.

Mitigation and Response

Countermeasures must be immediate and specific, as TrapDoor strikes at different phases of the development lifecycle.

1. Audit hooks and scripts: Inspect postinstall, build.rs, and import scripts in existing projects. TrapDoor’s vectors activate at stages not always visible during normal application execution.
2. Verify AI configurations: Check for the presence of .cursorrules, CLAUDE.md, and other AI config files in every repository, even those that do not directly install suspicious dependencies.
3. Validate external PRs: Closely monitor external pull requests involving configuration files, particularly those modifying security paths or workflows. The ddjidd564 account proved this vector is operational and scalable.
4. Assume total compromise: Treat the installation of suspicious dependencies from npm/PyPI/Crates.io as a potential compromise of the entire workstation and CI/CD pipelines. TrapDoor’s lateral movement capabilities are designed to propagate beyond the individual package.

No phase of the pipeline can be considered implicitly secure following this campaign.

A Shift in Supply Chain Risk Perspective

TrapDoor marks a turning point: the attack no longer views the registry merely as an entry point, but targets the development environment as a whole. The convergence of crypto, DeFi, and AI has created a developer demographic managing high-value assets with increasingly complex and under-audited tools. TrapDoor exploits this asymmetry: a larger technical surface area met with the same level of security scrutiny.

AI assistant manipulation and traditional supply chain attacks are no longer separate risks, but two stages of the same assault on developer trust. When project configuration files become channels for prompt injection, the distinction between internal and external code dissolves. The response cannot be purely technical; it requires a fundamental revision of review processes and the trust placed in automated tools.

The development environment has become the primary target: it is no longer just a distribution channel, but the prize itself.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html
• https://sqmagazine.co.uk/trapdoor-malware-npm-pypi-rust-developers/
• https://www.cryptotimes.io/2026/05/25/trapdoor-malware-hits-npm-pypi-crates-io-steals-crypto-wallets-ssh-keys/
• https://isc.sans.edu/diary/rss/33016
• https://isc.sans.edu/diary/rss/33014
• https://securelist.com/oceanlotus-suspected-pypi-zichatbot-campaign/119603/
• https://startupfortune.com/crypto-hiring-scams-are-turning-developer-tools-into-wallet-drains/