TrapDoor is a cross-registry developer compromise campaign#
Socket says it has identified an active supply-chain attack it is tracking as TrapDoor, spanning npm, PyPI, and Crates.io. The campaign includes more than 34 malicious packages and 384+ related versions and artifacts, with some packages already removed and others still live at the time Socket published its analysis.
The package count is not the most important part. The useful signal is the target model. TrapDoor is aimed at developers likely to have valuable local secrets: crypto, DeFi, Solana, Sui, Move, AI, and security tooling users. That is where wallets, GitHub tokens, cloud credentials, SSH keys, environment variables, browser data, and private project access tend to sit on the same machine.
Socket reports the earliest package it observed was the PyPI package eth-security-auditor@0.1.0, uploaded on May 22, 2026 at 20:20:18 UTC, with the wheel published shortly after. Packages then appeared in waves across registries, published by a small number of accounts and updated through the weekend.
The names were chosen to look routine. Socket describes packages posing as developer helpers, setup tools, model routing utilities, prompt engineering packages, Solidity tooling, and Sui or Move build helpers. That matters because these are not obvious malware names. They sit near real workflows.
Different registries, different execution paths#
TrapDoor does not rely on one ecosystem behavior. It adapts to each registry.
In npm, Socket says the malicious packages use postinstall hooks. That gives the attacker code execution during installation, before a developer has necessarily imported or reviewed anything. Socket identifies a shared payload, crypto-credential-scanner, described as a 1,149-line credential harvester and propagation tool.
That payload does more than collect files. According to Socket, it scans for developer secrets, validates AWS and GitHub tokens through API calls, tries SSH-based lateral movement, and plants persistence through mechanisms including Git hooks, shell hooks, systemd, cron, and SSH. If accurate, that moves the campaign beyond a one-shot grabber. It is built to keep access and possibly reach other machines.
In PyPI, Socket reports packages that execute remote JavaScript on import. That is a different trust seam. Python developers may expect risk during install scripts, but import-time behavior in a utility-looking package is often treated as normal application execution. Pulling a remote payload at that moment reduces what can be learned from the package archive alone.
In Crates.io, Socket observed packages aimed at Sui and Move developers and says the Rust wave showed infrastructure and behavioral overlap with related npm and PyPI packages. The reported goal included exfiltrating wallet keystores and related local material.
The cross-ecosystem design is the point. The same operator does not need every package to be popular. A low-volume package can still be valuable if it lands on a maintainer laptop, a DeFi builder workstation, or a machine with deploy keys and wallet material.
The target is the developer machine, not just the app#
Most dependency-risk writeups focus on what happens to the application. TrapDoor is more personal and more operational. The prize is the developer environment.
Socket lists targeted data including Sui, Solana, and Aptos wallet data; GitHub tokens and credentials; crypto wallet extension data; and local development configuration files. Those categories overlap in dangerous ways. A stolen wallet key creates direct financial risk. A GitHub token can expose private repositories or CI workflows. A cloud credential can open infrastructure. An SSH key can become a bridge to other systems.
That mix is why persistence and validation matter. Malware that immediately checks whether an AWS or GitHub token works gives the attacker faster triage. Malware that reuses SSH keys for lateral movement treats the developer laptop as a foothold, not an endpoint.
Socket also reports shared infrastructure tied to a GitHub account and content hosted under a GitHub Pages site at ddjidd564[.]github[.]io/defi-security-best-practices/. The same repository allegedly contained attacker-authored material on exfiltration, prompt injection, AI-agent abuse, persistence, and malware development concepts. Treat that as attribution evidence from Socket’s analysis, not as a court-grade identity claim.
One detail is especially current: Socket says the campaign includes AI injection targeting developer assistants. That does not mean every AI coding tool is compromised. It does mean attackers are thinking about the toolchain as a whole: package managers, local secrets, agent prompts, generated commands, and automated development workflows.
What teams should check now#
Start with dependency history, not just current manifests. Socket says TrapDoor involved hundreds of versions and artifacts, and some packages were removed while others remained live at publication time. A package disappearing from a registry does not clean machines that already installed it.
Practical checks:
- Review recent npm, PyPI, and Crates.io additions in crypto, DeFi, AI, Solidity, Sui, Move, and security-tooling projects.
- Look for packages installed around May 22, 2026 and after, especially newly published helpers with generic names.
- Audit npm packages with
postinstallbehavior, especially anything that ran during local setup or CI. - Inspect Python packages that fetch or execute remote code on import.
- Rotate exposed GitHub, cloud, SSH, and wallet-related secrets if a suspicious package was installed.
- Check for unexpected Git hooks, shell profile edits, cron entries, systemd units, and SSH configuration changes.
- Review outbound connections to unfamiliar GitHub Pages-hosted payloads or configuration endpoints.
For developer machines, do not stop at uninstalling the package. If the host executed a credential stealer, assume local secrets may have been copied. Rotation and persistence checks are the real remediation line.
CI systems deserve separate attention. A malicious package installed in CI may have seen repository tokens, build secrets, package-publishing credentials, deployment keys, and cloud environment variables. Those are often more useful than a single developer’s local files.
What not to overclaim#
Socket describes TrapDoor as active at the time of writing and says some packages were still live then. That status can change quickly. Registry removals, account takedowns, and package metadata may differ by the time a team reads this.
The public source material supports a campaign-level link across npm, PyPI, and Crates.io based on infrastructure and behavioral overlap. It does not, from the excerpt alone, establish victim counts, confirmed theft totals, financial losses, or the attacker’s real-world identity.
The right conclusion is narrower and stronger: attackers are packaging credential theft in the shape of normal developer utilities, then adapting execution to each ecosystem. Crypto and AI developers are attractive because their machines often concentrate keys, tokens, wallets, and automation. Low download numbers should not be treated as low risk when the target is high-value access.