TrapDoor supply chain attack npm PyPI Crates.io credential stealing malware 2026
|

TrapDoor: The Supply Chain Attack That Poisoned npm, PyPI, and Crates.io — And Tried to Hijack Your AI Assistant

On May 19, 2026, a coordinated supply chain attack began spreading across three major package ecosystems simultaneously — npm, PyPI, and Crates.io. Codenamed TrapDoor, the campaign distributed 34 malicious packages across 384 versions, targeting developers in the crypto, DeFi, Solana, and AI communities. But the most chilling detail? TrapDoor didn’t just steal your credentials — it tried to weaponize your AI coding assistants against you.

This is the most sophisticated cross-ecosystem supply chain attack we’ve seen in 2026, and if you write code for a living, you need to understand exactly what happened.

TrapDoor Supply Chain Attack: What Happened

The TrapDoor supply chain attack was first publicly reported on May 22, 2026, but forensic analysis places the campaign’s actual start date at May 19 — three days before the first widely reported detection. The attackers published malicious packages to npm, PyPI, and Crates.io in rapid waves from a cluster of freshly created accounts.

What makes TrapDoor exceptional isn’t just its scale — it’s the coordination. Previous supply chain attacks typically targeted a single ecosystem. TrapDoor hit all three major package registries simultaneously with different payloads optimized for each platform’s unique execution model. This suggests a well-funded, well-organized threat actor with deep knowledge of how developers work across different programming languages.

The deceptive package names were designed to look like legitimate security and development tools: prompt-engineering-toolkit, solidity-deploy-guard, defi-threat-scanner, and similar names that would seem perfectly natural in a crypto or AI developer’s dependency list.

The Scope: 34 Packages, 384 Versions, 3 Ecosystems

The numbers tell the story of a campaign built for maximum coverage. Across npm, PyPI, and Crates.io, the attackers published 34 distinct malicious packages spanning 384 individual versions. Each version was slightly modified to evade automated detection, with obfuscation techniques varying between updates.

The targeting was surgical. Rather than casting a wide net across all developers, TrapDoor focused on specific communities where high-value credentials are common: cryptocurrency developers who handle wallet keys, DeFi builders who manage smart contract deployment credentials, Solana ecosystem developers, and — critically — AI developers who might have API keys for services like OpenAI, Anthropic, and others.

This targeting strategy reveals an attacker who understands the economics of credential theft. A stolen Solana wallet key or a compromised AWS credential from a DeFi developer can be worth orders of magnitude more than a random GitHub token.

How TrapDoor Works, Platform by Platform

Each ecosystem received a payload customized for its specific execution model, demonstrating the attackers’ deep technical knowledge.

Python (PyPI): The Python packages were designed to auto-execute on import. The primary mechanism downloads JavaScript from an attacker-controlled GitHub Pages domain and runs it using node -e. This cross-language execution technique is clever — by delegating to a remote JavaScript payload, the Python package serves only as a dropper. The actual malicious code lives on a domain the attacker can update at any time, making the payload essentially polymorphic.

Rust (Crates.io): The Rust packages abuse build.rs, which executes automatically during compilation. When you run cargo build, the malicious build script silently locates local keystores, XOR-encrypts them using the hardcoded key cargo-build-helper-2026, and exfiltrates them to GitHub Gists. The use of Gists for exfiltration is particularly sneaky — traffic to github.com doesn’t trigger most corporate firewalls or network monitoring tools.

JavaScript (npm): The npm packages use a combination of post-install scripts and dynamic imports to download secondary payloads. These payloads scan for cryptocurrency wallet files, browser extension data, and environment variable files containing API keys.

The AI Poisoning Angle That Changes Everything

Here’s the detail that should send chills down every developer’s spine. TrapDoor didn’t just steal credentials directly — it planted .cursorrules and CLAUDE.md files containing hidden instructions designed to trick AI coding assistants into running a “security scan” that actually discovers and exfiltrates secrets.

Think about what this means. If you’re using AI coding agents like Cursor or Claude Code, and one of these poisoned files makes it into your project directory, your AI assistant becomes an unwitting accomplice in credential theft. The hidden instructions tell the AI to “scan for security issues” by reading your .env files, SSH keys, and wallet data — and then transmit them to an external endpoint under the guise of a “security report.”

The attackers even opened pull requests on popular open-source AI and developer projects — including browser-use/browser-use, langchain-ai/langchain, and langflow-ai/langflow — containing these poisoned configuration files. If a maintainer had merged any of these PRs, every developer who cloned the repository would have had their AI assistant weaponized against them.

This represents a fundamentally new attack vector. We’ve seen supply chain attacks that target code. We’ve seen attacks that target developers. But TrapDoor is among the first to specifically target the AI tools that developers rely on, turning them from productivity boosters into attack vectors.

What TrapDoor Steals

The breadth of data TrapDoor targets reveals a comprehensive credential harvesting operation. The stolen data includes SSH keys, Sui/Solana/Aptos wallet keystores, AWS credentials, GitHub tokens, browser login databases, crypto wallet extension data, environment variables, API keys, and local development configuration files.

For a crypto developer, losing even one of these items could mean immediate financial loss. For an enterprise developer, compromised AWS credentials or GitHub tokens could lead to infrastructure-level breaches affecting thousands of users.

Who Is Behind TrapDoor?

Attribution in supply chain attacks is notoriously difficult, but several indicators point toward a sophisticated, financially motivated threat actor. The simultaneous targeting of three ecosystems, the use of environmental keying to avoid sandbox detection, the cross-language payload architecture, and the AI poisoning vector all suggest significant resources and planning.

The focus on cryptocurrency and DeFi communities, combined with the sophistication of the wallet-stealing components, is consistent with North Korean-linked groups like Lazarus, which have stolen hundreds of millions in crypto through similar developer-targeted campaigns. However, no definitive attribution has been made.

Detection and Response

One bright spot in the TrapDoor story is the speed of detection. Socket, the software supply chain security firm, detected TrapDoor releases in an average of 5 minutes and 56 seconds, with a median detection time of 5 minutes and 27 seconds. The fastest detection was just 58 seconds after publication.

All 34 packages have been removed from their respective registries. The GitHub Pages domains used for payload delivery have been taken down. The GitHub Gists used for data exfiltration have been flagged and removed.

However, the window between publication and detection — even if it was only minutes — was enough for some packages to be downloaded and installed. Any developer who installed one of the affected packages during that window may have been compromised.

How to Check If You’re Affected

If you work in the crypto, DeFi, Solana, or AI development space and installed any new packages between May 19 and May 25, 2026, you should take immediate action.

First, check your dependency trees. Look for any packages with names related to security scanning, prompt engineering, Solidity deployment, or DeFi threat detection that you don’t recognize. Search your package.json, requirements.txt, and Cargo.toml files for any of the known TrapDoor package names.

Second, check for poisoned AI configuration files. Look for .cursorrules or CLAUDE.md files in your project directories that you didn’t create. These files might contain instructions telling AI assistants to perform “security scans” or “audit” your credentials.

Third, rotate your credentials. If you find any evidence of TrapDoor packages in your environment, assume all credentials are compromised. Rotate SSH keys, API tokens, wallet keys, and any other secrets that were accessible on the affected machine.

Fourth, review your AI assistant activity. If you’ve been using AI coding tools, review their recent actions and any code they generated. Look for any suspicious network calls or file access patterns in the code your AI assistant produced. This is a new hygiene step that developers now need to adopt as AI capabilities grow more powerful.

The Bigger Picture

TrapDoor represents an evolution in supply chain attacks that the security community has been warning about for years. The combination of multi-ecosystem targeting, AI assistant poisoning, and sophisticated credential harvesting creates a threat model that most organizations aren’t prepared for.

The AI poisoning vector is particularly concerning because it exploits a trust relationship that’s only going to become more important. As developers increasingly rely on AI assistants to write, review, and debug code, the attack surface created by poisoned configuration files will only grow.

Package registries are working on better detection mechanisms, but the fundamental challenge remains: open-source ecosystems are built on trust, and any system built on trust can be abused by actors willing to invest the effort to appear trustworthy.

For now, the best defense is vigilance. Verify your dependencies. Review your AI configuration files. And remember that in 2026, a supply chain attack doesn’t just target your code — it targets every tool you use to write it.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *