Back

TrapDoor Attack Compromises Developer Tools in Supply Chain Campaign

Severity: High (Score: 67.5)

Sources: www.stepsecurity.io, phoenix.security, Cryptorank, Letsdatascience, www.sonatype.com

Published: 2026-05-27 · Updated: 2026-05-27

Keywords: trapdoor, pypi, next, defi, exploit, start, before

Summary

The TrapDoor campaign, disclosed by Socket on May 24, 2026, involved the deployment of over 34 malicious packages and more than 384 versions across npm, PyPI, and Crates.io. These packages targeted developers by stealing credentials and manipulating AI coding assistants. The attack utilized postinstall hooks and hidden Unicode injections to alter files like .cursorrules and CLAUDE.md, which are used by AI tools to guide development workflows. The average detection time for these malicious packages was recorded at 5 minutes and 56 seconds. The campaign's impact extends to potential downstream exploits in decentralized finance (DeFi) systems, as compromised developer environments can lead to unauthorized access to repositories and deployment keys. Socket's telemetry indicated a coordinated release of these packages, raising significant concerns about supply chain security in the software development ecosystem. Key Points: • TrapDoor campaign involved 34+ malicious packages targeting developer credentials. • Attack methods included hidden Unicode injections and postinstall hooks in package installations. • Average detection time for the malicious packages was 5 minutes and 56 seconds.

Detailed Analysis

**Impact** The campaign compromised developer tools across npm, PyPI, and Crates.io ecosystems, affecting over 34 malicious packages and 384 versions. Targeted victims include developers working on DeFi projects, exposing SSH keys, AWS credentials, GitHub tokens, browser login data, and crypto wallet keystores for Solana, Sui, and Aptos chains. The attack enables unauthorized access to repositories, CI/CD pipelines, cloud accounts, and deployment keys, potentially leading to multi-million dollar downstream DeFi exploits and operational disruptions. The geographic scope is global, impacting open-source and blockchain development communities. **Technical Details** The attack vector involves malicious packages leveraging postinstall hooks, import-time execution, and build scripts to deploy a shared payload, trap-core.js, which harvests credentials and establishes persistence via .cursorrules, CLAUDE.md files, Git hooks, shell hooks, systemd units, cron jobs, and SSH authorized_keys. Hidden zero-width Unicode characters inject covert instructions into AI assistant configuration files, manipulating AI-assisted workflows for secret discovery and data exfiltration. Payloads are fetched remotely from attacker-controlled GitHub Pages domains. No CVEs were explicitly mentioned. The kill chain includes initial compromise, credential theft, lateral movement, persistence, and exfiltration. **Recommended Response** Immediately rotate all potentially exposed credentials, including SSH keys, AWS tokens, and GitHub tokens. Deploy detection rules for suspicious postinstall hooks, unusual modifications to .cursorrules and CLAUDE.md files, and network connections to known malicious domains such as ddjidd564.github[.]io. Harden developer environments by restricting package execution permissions and monitoring build scripts for anomalies. Continuously monitor AI assistant configuration files for unauthorized hidden Unicode injections. No specific patches are noted; focus on credential hygiene and behavioral detection.

Source articles (5)

  • TrapDoor Attack Targets CLAUDE.md and .cursorrules With Zero — Letsdatascience · 2026-05-26
    The first package landed on PyPI at 20:20:18 UTC on Friday night. It was called eth-security-auditor , version 0.1.0, and it looked like exactly what its name suggested: a security scanner for Ethereu…
  • The next big DeFi exploit will start before the code is deployed — Cryptorank · 2026-05-26
    Socket disclosed on May 24 that the TrapDoor campaign planted 34+ malicious packages and 384+ versions across npm, PyPI and Crates.io to steal developer credentials and access repositories, CI/CD pipe…
  • TrapDoor Supply Chain Campaign: Cross-Ecosystem Credential Theft and AI Assistant Poisoning — phoenix.security · 2026-05-26
  • 5 Supply Chain Attacks In 48 Hours Why Securing One Layer Is Not Enough — www.stepsecurity.io · 2026-05-27
  • Open Source Malware — www.sonatype.com · 2026-05-27

Timeline

  • 2026-05-24 — TrapDoor campaign disclosed: Socket reported the deployment of over 34 malicious packages across multiple ecosystems targeting developer credentials.
  • 2026-05-25 — Socket analysis published: Socket detailed the attack pipeline, including credential theft and AI manipulation techniques.
  • 2026-05-26 — Malicious packages identified: Socket confirmed the presence of 384+ versions of malicious packages affecting npm, PyPI, and Crates.io.

Related entities

  • Supply Chain Attack (Attack Type)
  • SafeDep (Campaign)
  • Drift (Campaign)
  • Trapdoor (Platform)
  • Immunefi (Platform)
  • Crates.io (Platform)
  • Aptos (Platform)
  • GitHub (Platform)
  • Move (Platform)
  • PyPI (Platform)
  • PyTorch (Platform)
  • Solana (Platform)
  • Sui (Platform)
  • Chainalysis (Company)
  • Guardrails AI (Company)
  • KelpDAO (Company)
  • Mistral SDK (Company)
  • Resolv (Company)
  • Sonatype (Company)
  • StepSecurity (Company)
  • TanStack (Company)
  • TRM Labs (Company)
  • UiPath (Company)
  • Ethereum (Company)
  • LangChain (Company)
  • Langflow (Company)
  • Cursor (Company)
  • OpenSearch (Tool)
  • Socket (Tool)
  • LiteLLM (Tool)
  • Claude (Tool)
  • GitHub Pages (Tool)
  • Npm (Tool)
  • Python (Tool)
  • Claude Code (Tool)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • ddjidd564.github.io (Domain)
  • dockerfile.as (Domain)
  • Shai-hulud (Malware)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1021.004 - SSH (Mitre Attack)
  • T1021 - Remote Services (Mitre Attack)
  • T1027 - Obfuscated Files Or Information (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1105 - Ingress Tool Transfer (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1547 - Boot Or Logon Autostart Execution (Mitre Attack)
  • T1552.001 - Credentials In Files (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed