Security researchers at Socket have uncovered an active supply chain attack that poisoned 34 packages and more than 384 versions across three major package registries — npm, PyPI, and Crates.io — in what appears to be one of the most broadly targeted credential theft campaigns seen this year.
Dubbed TrapDoor, the campaign has been quietly building since at least May 19, with attackers pushing wave after wave of malicious releases over the long weekend.
The packages appear harmless at first glance — names like token-usage-tracker, prompt-engineering-toolkit, eth-wallet-sentinel, and sui-sdk-build-utils read exactly like the kind of tools crypto, DeFi, AI, and security developers install without a second thought.
That calculated familiarity is the point.
Once installed, the packages get to work immediately. The npm variants fire during installation via postinstall hooks, executing a 1,149-line credential harvester called trap-core.js. The script doesn't just grab whatever's lying around — it actively validates stolen AWS and GitHub tokens through live API calls, filtering out expired credentials and prioritising the useful ones for the attacker.
The Crates.io packages take a different path. Malicious build.rs scripts — which run automatically during Rust compilation, before a developer even uses the package — search for local keystores, encrypt them using a hardcoded XOR key (cargo-build-helper-2026), and quietly ship the data to GitHub Gists.
The Python packages on PyPI go further still, fetching and executing a remote JavaScript payload via node -e at import time, letting the attacker update behaviour without touching the published package.
What TrapDoor steals is comprehensive: SSH keys, Sui, Solana, and Aptos wallet keystores, AWS credentials, GitHub tokens, browser profile and login databases, crypto wallet extension data, environment variables, and API keys.
But the campaign's most unusual angle is its AI-targeting capability. According to the Socket, the npm payload plants .cursorrules and CLAUDE.md files — configuration files read by AI coding assistants like Cursor and Claude — and injects hidden instructions using zero-width Unicode characters.
The goal is to trick AI tools into running what appears to be a routine "security scan" that actually exfiltrates local secrets. The same attacker account, ddjidd564, also opened pull requests against major open-source AI projects, including LangChain, LlamaIndex, and browser-use, attempting to slip campaign-linked files into widely-used repositories under the guise of development standards documentation.
Socket detected the earliest TrapDoor package — eth-security-auditor on PyPI — within roughly two minutes of publication, and flagged subsequent releases at an average detection window of under six minutes.
What developers should do: Audit any recently installed packages matching the names listed in Socket's indicators of compromise. Check your projects for unexpected .cursorrules, CLAUDE.md, Git hooks, shell hooks, or new cron/systemd entries.
Rotate AWS credentials, GitHub tokens, and SSH keys if any of the listed packages were installed. Consider enabling lockfiles and dependency review workflows in CI/CD pipelines to catch unexpected registry activity before it reaches production environments.