Loading article…
A coordinated supply chain attack named TrapDoor has compromised over 34 software packages across npm, PyPI, and Crates.io to steal developer credentials.
A coordinated software supply chain attack campaign dubbed "TrapDoor" has targeted developers in the cryptocurrency, decentralized finance (DeFi), and artificial intelligence sectors [1]. Security researchers at Socket identified that the campaign, which began on May 22, 2026, utilized more than 34 malicious packages across 384 versions to exfiltrate sensitive data from developer environments [2].
Key takeaways
The TrapDoor campaign employs ecosystem-specific methods to compromise developer machines [1]. On npm, malicious packages use post-install hooks to deploy a JavaScript payload known as "trap-core.js," which scans for credentials and validates them against AWS and GitHub services [2]. Python packages on PyPI are designed to execute remote JavaScript payloads upon import, allowing attackers to update their malicious behavior dynamically without needing to republish the package [1]. Meanwhile, Rust crates on Crates.io utilize "build.rs" scripts that activate during compilation to search for local keystores, specifically targeting data related to Sui and Move development [2].
The stolen data includes information from cryptocurrency wallets—specifically those associated with Solana, Sui, Aptos, Coinbase, Binance, and MetaMask—as well as browser profiles and environment variables [2]. Beyond simple data theft, the malware attempts lateral movement across networks by leveraging compromised SSH keys [2]. The attackers have also been observed submitting pull requests to popular open-source projects, such as LangChain, to propagate malicious configurations [2].
A notable feature of the TrapDoor campaign is the use of hidden instructions within files like ".cursorrules" and "CLAUDE.md" [1]. By using techniques such as zero-width Unicode characters, attackers attempt to manipulate AI coding assistants into executing "security scans" that actually result in the discovery and exfiltration of secrets [2]. Socket researchers suggest that the threat actors are testing whether these hidden instructions can be introduced into open-source workflows to exploit the way AI tools parse project files [1].
Coverage is mostly measured — 45 of 66 reports stay neutral.
Every Monday — the token unlocks, Fed dates & catalysts set to move crypto and markets this week. So you’re never blindsided.
Free · 3-min read · one-click unsubscribe
Solana is a trending topic in the news. Recent coverage of Solana includes: Will Solana (SOL) Make You a Millionaire? - Yahoo Finance.
10 news sources analyzed
Based on our analysis of recent news articles, Solana has mixed coverage. Check the sentiment score above for detailed analysis.
TrendWatcher aggregates Solana news from 100+ trusted sources and provides AI-powered sentiment analysis updated in real-time.
The TrapDoor incident highlights a growing trend of threat actors targeting the software supply chain to gain deep access to developer environments [1]. By blending traditional typosquatting with advanced persistence mechanisms and AI manipulation, the campaign poses risks that extend beyond immediate financial loss to include broader CI/CD pipeline breaches and repository access [2]. Security experts are urging developers to audit their dependency lockfiles, rotate credentials from potentially compromised systems, and remain vigilant when integrating new open-source tools into their workflows [2].
AI-assisted synthesis by the TrendWatcher Editorial Desk · sourced from 3 outlets · Jun 2, 2026 · How we report