Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
New Supply Chain Attack Hits npm, PyPI, and Crates

New Supply Chain Attack Hits npm, PyPI, and Crates

Posted on May 25, 2026 By CWS

A recent cyber attack has compromised 34 packages within npm, PyPI, and Crates.io, deploying numerous malicious versions in a bid to steal developer credentials and cryptocurrency wallets. This new threat, known as the TrapDoor supply chain campaign, is particularly targeting developers involved in cryptocurrency, DeFi, Solana, and artificial intelligence.

Targeted Developer Communities

The TrapDoor campaign strategically infiltrates by masquerading as legitimate developer tools and security scanners. The attack began with the PyPI package [email protected] released on May 22, 2026, and has since expanded across various repositories. Deceptive package names like prompt-engineering-toolkit and defi-threat-scanner have been used to penetrate developer communities.

Socket’s security systems detected these malicious releases with a median detection time of 5 minutes and 27 seconds, enabling the classification of the entire campaign as harmful before it could gain significant traction.

Cross-Ecosystem Attack Strategies

The TrapDoor campaign employs ecosystem-specific methods to maximize its reach during typical developer workflows. Different execution paths are tailored for each package registry, ensuring the malware executes silently before thorough inspection by developers. For npm, postinstall hooks are utilized, while PyPI packages execute automatically upon import. Crates.io scripts target local Sui and Move developer keystores.

Extensive data harvesting is a core component of this attack, focusing on crypto wallets, SSH keys, and AWS environment variables. The npm payload, trap-core.js, establishes persistent access through systemd services, cron jobs, and other methods.

AI and Broader Implications

TrapDoor’s sophistication extends to targeting AI coding assistants. Modified project files trick AI systems into executing malicious credential exfiltration. These attacks have been propagated through deceptive pull requests to popular open-source AI projects.

The campaign’s command and control infrastructure on GitHub Pages supports its operations, utilizing advanced cryptography to evade standard network detections. This framework aims to validate stolen AWS and GitHub tokens via live API queries, enhancing the value of the exfiltrated data.

As this attack continues to unfold, it highlights the critical need for developers to remain vigilant and employ robust security measures to protect their environments from such evolving threats.

Cyber Security News Tags:AI security, Crates.io, cryptocurrency security, Cybersecurity, developer security, Malware, NPM, PyPI, supply chain attack, TrapDoor campaign

Post navigation

Previous Post: Top Malware Sandbox Tools Enhancing Security in 2026
Next Post: Pentest Agent Suite: Autonomous Security Framework Unveiled

Related Posts

PamStealer Targets macOS Users via Fake Clipboard Manager PamStealer Targets macOS Users via Fake Clipboard Manager Cyber Security News
GitLab Security Update – Patch for Multiple Vulnerabilities in Community and Enterprise Edition GitLab Security Update – Patch for Multiple Vulnerabilities in Community and Enterprise Edition Cyber Security News
Lazarus Subgroup ‘TraderTraitor’ Attacking Cloud Platforms and Poisoning Supply Chains Lazarus Subgroup ‘TraderTraitor’ Attacking Cloud Platforms and Poisoning Supply Chains Cyber Security News
Kenyan Filmmakers Installed With FlexiSPY Spyware That Monitors Messages and Social Media Kenyan Filmmakers Installed With FlexiSPY Spyware That Monitors Messages and Social Media Cyber Security News
Hackers Mimic as OpenAI and Sora Services to Steal Login Credentials Hackers Mimic as OpenAI and Sora Services to Steal Login Credentials Cyber Security News
Interlock Ransomware Employs ClickFix Technique to Run Malicious Commands on Windows Machines Interlock Ransomware Employs ClickFix Technique to Run Malicious Commands on Windows Machines Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Dormant GitHub Accounts Aid Corporate Reconnaissance
  • Microsoft’s AI Strategy Enhances Vulnerability Detection
  • Cloud Bucket Hijacking and Global Fraud: Key Cybersecurity Threats
  • AssuranceAmerica Data Breach Affects Millions’ Personal Data
  • npm 12 Enhances Security by Disabling Install Scripts

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Dormant GitHub Accounts Aid Corporate Reconnaissance
  • Microsoft’s AI Strategy Enhances Vulnerability Detection
  • Cloud Bucket Hijacking and Global Fraud: Key Cybersecurity Threats
  • AssuranceAmerica Data Breach Affects Millions’ Personal Data
  • npm 12 Enhances Security by Disabling Install Scripts

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark