Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
New Supply Chain Attack Hits npm, PyPI, and Crates

New Supply Chain Attack Hits npm, PyPI, and Crates

Posted on May 25, 2026 By CWS

A recent cyber attack has compromised 34 packages within npm, PyPI, and Crates.io, deploying numerous malicious versions in a bid to steal developer credentials and cryptocurrency wallets. This new threat, known as the TrapDoor supply chain campaign, is particularly targeting developers involved in cryptocurrency, DeFi, Solana, and artificial intelligence.

Targeted Developer Communities

The TrapDoor campaign strategically infiltrates by masquerading as legitimate developer tools and security scanners. The attack began with the PyPI package [email protected] released on May 22, 2026, and has since expanded across various repositories. Deceptive package names like prompt-engineering-toolkit and defi-threat-scanner have been used to penetrate developer communities.

Socket’s security systems detected these malicious releases with a median detection time of 5 minutes and 27 seconds, enabling the classification of the entire campaign as harmful before it could gain significant traction.

Cross-Ecosystem Attack Strategies

The TrapDoor campaign employs ecosystem-specific methods to maximize its reach during typical developer workflows. Different execution paths are tailored for each package registry, ensuring the malware executes silently before thorough inspection by developers. For npm, postinstall hooks are utilized, while PyPI packages execute automatically upon import. Crates.io scripts target local Sui and Move developer keystores.

Extensive data harvesting is a core component of this attack, focusing on crypto wallets, SSH keys, and AWS environment variables. The npm payload, trap-core.js, establishes persistent access through systemd services, cron jobs, and other methods.

AI and Broader Implications

TrapDoor’s sophistication extends to targeting AI coding assistants. Modified project files trick AI systems into executing malicious credential exfiltration. These attacks have been propagated through deceptive pull requests to popular open-source AI projects.

The campaign’s command and control infrastructure on GitHub Pages supports its operations, utilizing advanced cryptography to evade standard network detections. This framework aims to validate stolen AWS and GitHub tokens via live API queries, enhancing the value of the exfiltrated data.

As this attack continues to unfold, it highlights the critical need for developers to remain vigilant and employ robust security measures to protect their environments from such evolving threats.

Cyber Security News Tags:AI security, Crates.io, cryptocurrency security, Cybersecurity, developer security, Malware, NPM, PyPI, supply chain attack, TrapDoor campaign

Post navigation

Previous Post: Top Malware Sandbox Tools Enhancing Security in 2026
Next Post: Pentest Agent Suite: Autonomous Security Framework Unveiled

Related Posts

Pentest Agent Suite: Autonomous Security Framework Unveiled Pentest Agent Suite: Autonomous Security Framework Unveiled Cyber Security News
Massive Android Ad Fraud ‘IconAds’ Leverages Google Play to Attack Phone Users Massive Android Ad Fraud ‘IconAds’ Leverages Google Play to Attack Phone Users Cyber Security News
Claude Vulnerabilities Let Attackers Execute Unauthorized Commands With its Own Help Claude Vulnerabilities Let Attackers Execute Unauthorized Commands With its Own Help Cyber Security News
Numerous Applications Using Google’s Firebase Platform Leaking Highly Sensitive Data Numerous Applications Using Google’s Firebase Platform Leaking Highly Sensitive Data Cyber Security News
Critical Twonky Server Vulnerabilities Let Attackers Bypass Authentication Critical Twonky Server Vulnerabilities Let Attackers Bypass Authentication Cyber Security News
Windows Imaging Component Vulnerability Can Lead to RCE Attacks Under Complex Attack Scenarios Windows Imaging Component Vulnerability Can Lead to RCE Attacks Under Complex Attack Scenarios Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Microsoft’s AI Strategy Enhances Vulnerability Detection
  • Cloud Bucket Hijacking and Global Fraud: Key Cybersecurity Threats
  • AssuranceAmerica Data Breach Affects Millions’ Personal Data
  • npm 12 Enhances Security by Disabling Install Scripts
  • Maximizing Threat Intelligence for Effective SOC Operations

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Microsoft’s AI Strategy Enhances Vulnerability Detection
  • Cloud Bucket Hijacking and Global Fraud: Key Cybersecurity Threats
  • AssuranceAmerica Data Breach Affects Millions’ Personal Data
  • npm 12 Enhances Security by Disabling Install Scripts
  • Maximizing Threat Intelligence for Effective SOC Operations

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark