Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
TrapDoor Attack Targets npm, PyPI, and CratesIO

TrapDoor Attack Targets npm, PyPI, and CratesIO

Posted on May 25, 2026 By CWS

A sophisticated software supply chain attack known as TrapDoor has been identified across npm, PyPI, and Crates.io, aiming to distribute malware that steals credentials. This attack is notable for its broad reach, affecting over 34 malicious packages and more than 384 versions. The campaign first surfaced on May 22, 2026, with packages rapidly published from multiple accounts.

Targeted Developer Communities

TrapDoor specifically targets developers involved in cryptocurrency, decentralized finance (DeFi), Solana, and artificial intelligence (AI) sectors. According to the cybersecurity firm Socket, these malicious packages are crafted to extract developer secrets, such as crypto wallets, SSH keys, cloud credentials, and browser data. This highlights a growing trend of attacks aimed at exploiting high-value digital targets.

Among the npm packages, a common payload known as trap-core.js is deployed. This script is responsible for scanning and validating credentials, facilitating SSH-based lateral movement, and establishing persistence through various means including systemd and cron jobs. Such sophisticated techniques enable the malware to maintain a foothold on compromised systems.

Malware Distribution Techniques

The TrapDoor campaign is distinct for its use of diverse distribution methods. Attackers leverage postinstall hooks, remote JavaScript payloads, and malicious build.rs scripts to infiltrate systems, particularly targeting Sui and Move developers. By masquerading as legitimate tools, these packages can deceive unsuspecting users and gain widespread distribution.

The Rust crates employed in the attack seek out local keystores, encrypt data using a hardcoded XOR key, and exfiltrate the information to GitHub Gists. Similarly, Python packages are designed to auto-execute upon import, downloading JavaScript from attacker-controlled domains. This strategy allows attackers to update the payload remotely, enhancing their operational flexibility.

Implications for Developer Workflows

An unusual tactic observed in this campaign involves embedding hidden instructions within files such as .cursorrules and CLAUDE.md. These are intended to deceive AI assistants into conducting unauthorized security scans, inadvertently leading to secret exfiltration. By opening GitHub pull requests in popular AI and developer projects, the attackers test the viability of introducing malicious files through standard contribution processes.

The TrapDoor campaign exemplifies the evolving threat landscape, where attackers increasingly target developer workflows to gain access to sensitive information. By exploiting ecosystem-specific execution paths, such as build.rs in Rust, postinstall hooks in npm, and import-time execution in Python, attackers are able to tailor their strategies to specific development environments and maximize their impact.

This attack underscores the need for heightened vigilance and robust security practices among developers, particularly those working in high-stakes sectors like cryptocurrency and AI. As attackers grow more sophisticated, protecting developer environments becomes critical to safeguarding sensitive data and maintaining secure software supply chains.

The Hacker News Tags:AI communities, CratesIO, credential-stealing malware, crypto wallets, developer security, NPM, PyPI, software ecosystem, supply chain attack, Trapdoor

Post navigation

Previous Post: CISA Alerts on Critical Drupal SQL Injection Threat
Next Post: GitHub Enhances npm Security with Staged Publishing

Related Posts

Notepad++ Hosting Compromise Linked to Chinese Hackers Notepad++ Hosting Compromise Linked to Chinese Hackers The Hacker News
Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems The Hacker News
Why CISOs Must Rethink Incident Remediation Why CISOs Must Rethink Incident Remediation The Hacker News
RondoDox Botnet Exploits Critical React2Shell Flaw to Hijack IoT Devices and Web Servers RondoDox Botnet Exploits Critical React2Shell Flaw to Hijack IoT Devices and Web Servers The Hacker News
Npm Packages Exploit Crypto Keys and CI Secrets Npm Packages Exploit Crypto Keys and CI Secrets The Hacker News
n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • AssuranceAmerica Data Breach Affects Millions’ Personal Data
  • npm 12 Enhances Security by Disabling Install Scripts
  • Maximizing Threat Intelligence for Effective SOC Operations
  • Palo Alto Networks Fixes Critical Security Flaws
  • Windows Update Installs LG App with McAfee Ads

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • AssuranceAmerica Data Breach Affects Millions’ Personal Data
  • npm 12 Enhances Security by Disabling Install Scripts
  • Maximizing Threat Intelligence for Effective SOC Operations
  • Palo Alto Networks Fixes Critical Security Flaws
  • Windows Update Installs LG App with McAfee Ads

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark