A coordinated campaign called TrapDoor is using npm, PyPI, and Crates.io packages to steal developer credentials, wallets, keys, and cloud secrets. Socket’s research, cited by The Hacker News, tracks more than 34 malicious packages across over 384 versions, with the earliest recorded activity on May 22, 2026 at 20:20 UTC.
The campaign is aimed at developers working around crypto, DeFi, Solana, Sui, Move, and AI tooling. That targeting is not incidental. These are environments where a single leaked token, wallet key, SSH credential, or cloud secret can become a route into code, funds, infrastructure, or downstream users.
This TrapDoor activity is separate from another campaign with the same name reported by HUMAN’s Satori team last week, which involved ad fraud through Android apps on Google Play. Same label, different operation.
What is known#
The campaign spans three major open-source package ecosystems: npm for JavaScript, PyPI for Python, and Crates.io for Rust. The packages were published in waves from a cluster of accounts, according to Socket, and used names that appeared relevant to developer workflows rather than obvious malware bait.
The reported package themes include crypto credential scanning, prompt engineering, local environment setup, security tooling, and blockchain developer utilities. The point is simple: meet developers where they already install tools.
The npm packages are reported to deploy a shared JavaScript payload named trap-core.js. Socket says that payload scans for credentials and developer secrets, validates AWS and GitHub tokens through API calls, attempts SSH-based lateral movement, and plants persistence using several local mechanisms.
Those persistence paths reportedly include .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH. Some of these are old operator tradecraft. Some are more specific to current AI-assisted coding environments.
The Python packages use a different route. They are designed to execute on import, then fetch JavaScript from an attacker-controlled GitHub Pages domain and run it with node -e. That design lets the attacker change behavior after publication without pushing a new PyPI release. The package becomes a loader, not the full payload.
The Rust crates use build.rs, the Rust build script mechanism, to trigger malicious execution. They reportedly search for local keystores, encrypt data with a hardcoded XOR key, and exfiltrate it to GitHub Gists. That is not sophisticated cryptography. It does not need to be. The practical value is in hiding and moving stolen local material quickly enough.
The sharper part: AI instruction files as an attack path#
The unusual part is the campaign’s reported use of .cursorrules and CLAUDE.md files containing hidden instructions meant to influence AI coding assistants. Socket says the actor opened GitHub pull requests against popular AI and developer projects, including browser-use/browser-use, langchain-ai/langchain, and langflow-ai/langflow.
The apparent goal was not just to publish poisoned packages. It was to test whether malicious project-level instruction files could enter repositories through normal open-source contribution workflows, then be parsed by AI coding tools as trusted context.
That matters because AI assistants often operate inside a developer’s local environment, where secrets, shell access, repository metadata, and project instructions may sit close together. If an assistant treats a repository file as instruction rather than untrusted content, the repo itself becomes a prompt delivery channel.
The reported instruction theme is especially blunt: trick the assistant into running a “security scan” that discovers and exfiltrates secrets. That framing is effective because it looks like a defensive task. It also abuses a common developer habit: letting tools inspect the local project tree because the tool is supposed to help.
This does not prove that every AI coding assistant is equally vulnerable to this tactic. The source material does not establish successful compromise through those pull requests. The useful conclusion is narrower and stronger: AI-specific project files are now attractive enough that attackers are testing them in the open-source contribution path.
Why this campaign is useful to attackers#
TrapDoor combines several execution models instead of relying on one ecosystem’s weakness.
In npm, postinstall and package lifecycle behavior have long been a high-risk path because code can run as part of installation. In PyPI, import-time execution can turn a seemingly harmless library import into a trigger. In Rust, build.rs gives crates a legitimate build-time execution mechanism that can be abused when developers or CI systems compile dependencies.
The campaign also separates delivery from payload in places. A PyPI package that pulls remote JavaScript is easier to update after publication. A package that validates stolen AWS or GitHub tokens can sort useful secrets from noise before the operator spends time on them. SSH lateral movement turns a compromised workstation from a source of secrets into a pivot point.
The target set explains the choices. Crypto and DeFi developers may hold wallet material or project credentials. AI developers may work in repos wired to cloud APIs and model providers. Open-source maintainers may have GitHub tokens, package publishing rights, or CI/CD access. A developer laptop is often less monitored than production infrastructure but can hold keys to both.
What not to overclaim#
The available reporting does not give a confirmed victim count. It does not establish that all listed packages achieved meaningful installs, that every persistence method worked, or that the AI-instruction angle led to successful secret theft through assistant execution.
It also should not be collapsed into the unrelated Android ad-fraud campaign that shared the TrapDoor name. Naming collisions happen in threat reporting. The technical details here point to a developer supply-chain operation across package registries, not a mobile ad fraud cluster.
The strongest supported claim is that the actor coordinated package publication across multiple ecosystems and used ecosystem-native execution paths to steal developer secrets. The more forward-looking claim, still important, is that attackers are probing AI coding workflows as part of the software supply chain.
What teams should check now#
Teams using npm, PyPI, or Crates.io should first search dependency manifests, lockfiles, local package caches, CI logs, and developer workstations for the package names identified by Socket and The Hacker News. Two names visible in the source material are crypto-credential-scanner and prompt-engineering-toolkit, but defenders should use the full indicator list from Socket where available rather than relying on partial examples.
Practical checks:
- Review recent installs and builds since May 22, 2026, especially in crypto, DeFi, Solana, Sui, Move, and AI-related projects.
- Inspect package lifecycle execution: npm
postinstall, Python import behavior, and Rustbuild.rsscripts. - Hunt for unexpected
.cursorrules,CLAUDE.md, Git hooks, shell startup changes, cron entries, systemd services, and SSH configuration changes. - Rotate exposed GitHub, AWS, cloud, wallet, SSH, and package publishing credentials if a suspected package ran locally or in CI.
- Check GitHub audit logs, cloud API logs, and SSH access patterns for validation attempts or lateral movement after installation time.
- Treat AI assistant instruction files in pull requests as executable influence, not harmless documentation.
The defensive lesson is not “never use open source.” It is that package review can no longer stop at the package name or README. Build scripts, install hooks, import-time behavior, remote payload loading, repo-level assistant instructions, and CI execution context all belong in the trust model.
TrapDoor is a credential theft campaign. It is also a reminder that the developer workstation has become a production-adjacent asset. If it can publish code, reach cloud APIs, sign commits, open SSH sessions, or guide an AI agent, it is part of the supply chain.