A large-scale supply chain attack is tearing through three of the biggest open source package ecosystems, and it is going after crypto developers specifically.
Security firm Socket, which first flagged the campaign, is calling it “TrapDoor.” The operation spans 34 malicious packages and more than 384 versions and artifacts published across npm, PyPI, and Crates.io. At the time of Socket’s disclosure on May 24, some packages had already been pulled by registry maintainers while others were still live and downloadable.
The targets are not random. TrapDoor is designed to hit developers working in crypto, DeFi, Solana, AI, and security tooling, the exact communities where wallet keys, cloud credentials, and sensitive tokens are most likely sitting on local machines.
Socket shared the initial findings in a detailed blog post and broke the news on X with a post that called it a “BREAKING” active attack.
The Latest: Attacker activity goes well beyond package registries
In its most recent update, posted roughly 17 hours ago on X, Socket said it had expanded its TrapDoor investigation and reported the attacker’s GitHub account to the platform.
The key finding is that the attacker was not just pushing poisoned packages. The GitHub account behind TrapDoor also maintained payload and configuration infrastructure, published AI and security-themed lure repositories to attract developer attention, and planted issues and discussions promoting fake “security” workflows in legitimate developer communities.
Socket specifically called out an MCP-style repository named “env-security-scanner,” along with multiple DeFi and security-themed lure repos, as examples of this broader activity. The attacker was essentially building a web of credibility around the malicious packages, making them look like they belonged in a developer’s toolchain.
How the attack unfolded
The first package Socket spotted was eth-security-auditor@0.1.0 on PyPI, uploaded on May 22, 2026, at 20:20:18 UTC. From that point, things moved fast. The attacker published packages in rapid waves throughout the weekend across all three registries, using a small set of accounts to flood the ecosystem.
The package names were picked carefully to look like normal development tools. On npm, names like token-usage-tracker, wallet-security-checker, defi-env-auditor, prompt-engineering-toolkit, and llm-context-compressor were designed to blend right into a developer’s dependency list without raising suspicion. On Crates.io, the campaign zeroed in on Sui and Move developers with packages like sui-move-build-helper and move-compiler-tools. On PyPI, names like cryptowallet-safety and defi-risk-scanner followed the same playbook.
In total, Socket identified 21 npm packages, 7 PyPI packages, and 6 Crates.io packages linked to TrapDoor.
What gets stolen
The list of data TrapDoor goes after is long and alarming. According to Socket’s analysis, the malicious packages are designed to harvest SSH keys, Sui, Solana, and Aptos wallet data, AWS credentials, GitHub tokens, browser profile data and login databases, crypto wallet extension data, environment variables, API keys, and local development configuration files.
That is not just a credential grab. Stolen SSH keys can be reused for lateral movement into CI/CD pipelines, private repositories, and deployment infrastructure. Cloud and GitHub credentials can expose entire organizations.
Three ecosystems, three attack methods
Each ecosystem gets its own tailored execution path.
On npm, the packages use postinstall hooks. The moment you run npm install, a shared payload called trap-core.js fires up. It is a 1,149-line credential harvester that scans for secrets, validates stolen AWS and GitHub tokens through live API calls to check if they are still active, and then digs in for the long haul.
The persistence mechanisms include .cursorrules files, CLAUDE.md files, Git hooks, shell hooks, systemd services, cron jobs, and SSH-based lateral movement. One package, dev-env-bootstrapper, functions as both malware and a delivery vehicle, helping spread malicious configuration into other developer environments.
On Crates.io, the attack abuses build.rs, which runs automatically during Rust compilation. Before a developer ever runs a single line of the package’s actual code, the build script has already located local keystores, encrypted the data using a hardcoded XOR key, and shipped it off to GitHub Gists.
On PyPI, the packages auto-execute on import, download JavaScript from an attacker-controlled GitHub Pages domain, and run it through node -e. This approach lets the attacker update the payload remotely without ever pushing a new version to PyPI.
The AI angle: Poisoning developer assistants
One of the more striking elements of TrapDoor is how it weaponizes AI coding tools.
The campaign plants hidden instructions inside .cursorrules and CLAUDE.md files using zero-width Unicode characters. These files are commonly used to give project-specific guidance to AI assistants like Cursor and Claude Code. The hidden directives attempt to trick the AI into running what looks like a “security scan” but is actually a data exfiltration routine.
Socket noted that the technique may not work consistently across all tools or models, but the fact that it is being actively deployed signals a new front in supply chain attacks. Developers are now dealing with the possibility that their AI assistants could be turned against them.
Attacker opens pull requests on LangChain, LlamaIndex, MetaGPT, and more
The campaign did not stop at package registries. The same GitHub account, ddjidd564, opened pull requests on several high-profile AI and developer projects, including browser-use/browser-use, langchain-ai/langchain, langflow-ai/langflow, run-llama/llama_index, FoundationAgents/MetaGPT, and OpenHands/OpenHands.
The PRs tried to add .cursorrules or CLAUDE.md files under innocent-sounding titles like “docs: add .cursorrules with dev standards and build verification.” Several referenced the campaign marker P-2024-001 and framed the changes as coding standards or build verification guidelines.
GitHub flagged at least one of these PRs for containing hidden or bidirectional Unicode text. The strategy is clear: get malicious configuration merged into popular open source projects where AI tools will read and follow the embedded instructions.
An entire playbook found in the open
In a somewhat unusual discovery, Socket researchers found an AUDIT-MATRIX.md document inside the attacker’s GitHub Pages repository. The file describes the operation as a “Universal AI Agent Extraction Framework” and lays out a staged workflow for capability detection, data extraction, self-replication, and telemetry reporting.
The document’s “disguise layer” section maps credential theft actions to benign-sounding tasks like security audits, wallet safety checks, and cloud configuration validation. It is, in effect, a blueprint for making data theft look like routine developer tooling.
Socket cautioned that the document describes itself as partially implemented, but the concepts it outlines match the behaviors observed in the live npm payloads.
How fast was it caught?
Socket says it detected TrapDoor releases with a median detection time of 5 minutes and 27 seconds across 381 package-version records. The fastest detection happened just 58 seconds after a malicious package was published.
All identified packages have been classified as malicious, and Socket has reported them to the affected registries. The firm is tracking the campaign on a dedicated page.
What developers should do right now
Anyone working in crypto, DeFi, Solana, Sui, Move, or AI development should check their dependencies immediately against the full list of malicious packages published by Socket.
If any of these packages made it into your environment, treat it as a full compromise. Rotate all credentials, SSH keys, API keys, and wallet keys. Check for unauthorized systemd services, cron jobs, Git hooks, and shell hooks on your machine. Review any. cursorrules or CLAUDE.md files in your projects for hidden Unicode characters.
The TrapDoor campaign is a reminder that supply chain attacks are no longer just about sneaking a bad package past a registry. Attackers are now building entire ecosystems around their malware, complete with lure repositories, community engagement, AI assistant manipulation, and pull requests against some of the most-watched projects in open source. For crypto developers, the stakes could not be higher.
Also Read: Weekly Wrap: LayerZero Admits $292M Flaw, Bitcoin ETF Sell-Off, Cross-Chain Hacks Grow
