**Cross-Ecosystem Attack: TrapDoor** A new coordinated cross-ecosystem software supply chain attack campaign has targeted npm, PyPI, and Crates.io to distribute credential-stealing malware. The campaign, codenamed **TrapDoor**, spans more than 34 malicious packages across over 384 versions. The earliest activity was recorded on May 22, 2026, at 8:20 p.m. UTC, with new packages published to the ecosystems in waves from a cluster of accounts in quick succession. According to **Socket**, "TrapDoor targets developers in crypto, DeFi, Solana, and AI communities. The malicious packages are designed to steal developer secrets, crypto wallets, SSH keys, cloud credentials, browser data, and environment variables." Several npm packages also deploy a shared payload, `trap-core.js`, that scans for credentials, validates **AWS** and **GitHub** tokens, attempts SSH-based lateral movement, and plants persistence through `.cursorrules`, `CLAUDE.md`, Git hooks, shell hooks, systemd, cron, and SSH. It's important to note that this activity is distinct from another campaign with the same name, previously detailed by **HUMAN**'s Satori Threat Intelligence and Research Team, which focused on ad fraud through Android apps on the **Google Play Store**. **Malicious Packages Identified** The following packages have been identified as part of the TrapDoor campaign: * Crates.io * `move-analyzer-build` * `move-compiler-tools` * `move-project-builder` * `sui-framework-helpers` * `sui-move-build-helper` * `sui-sdk-build-utils` * npm * `async-pipeline-builder` * `build-scripts-utils` * `chain-key-validator` * `crypto-credential-scanner` * `defi-env-auditor` * `defi-threat-scanner` * `deployment-key-auditor` * `dev-env-bootstrapper` * `eth-wallet-sentinel` * `llm-context-compressor` * `mnemonic-safety-check` * `model-switch-router` * `node-setup-helpers` * `project-init-tools` * `prompt-engineering-toolkit` * `solidity-deploy-guard` * `token-usage-tracker` * `wallet-backup-verifier` * `wallet-security-checker` * `web3-secrets-detector` * `workspace-config-loader` * PyPI * `cryptowallet-safety` * `data-pipeline-check` * `defi-risk-scanner` * `env-loader-cli` * `eth-security-auditor` * `git-config-sync` * `solidity-build-guard` **Technical Details and Tactics** The operation is notable for its diverse delivery mechanisms. It leverages postinstall hooks, remote JavaScript payloads executed during package imports, and malicious `build.rs` scripts to target Sui and Move developers. The packages are designed to appear as legitimate tools, allowing attackers to reach a wide audience. The npm packages execute a JavaScript payload (`trap-core.js`) that scans for credentials, validates stolen credentials using **AWS** and **GitHub** APIs, and establishes persistence via cron jobs, systemd services, and Git hooks. It also attempts lateral movement via SSH. Rust crates similarly search for local keystores, encrypt the data using a hardcoded XOR key, and exfiltrate it to **GitHub** Gists. The use of a build script (`build.rs`) is crucial for triggering the malicious code execution. The Python packages are designed for auto-execution upon import. Their primary function is to download JavaScript from an attacker-controlled **GitHub** Pages domain and execute it using `node -e`. **AI Assistant Manipulation** A particularly unusual aspect is the inclusion of `.cursorrules` and `CLAUDE.md` files containing hidden instructions aimed at tricking AI assistants. These instructions prompt the AI to perform a "security scan" that leads to the discovery and exfiltration of secrets. This is achieved by opening pull requests (PRs) across popular AI and developer projects, including `browser-use/browser-use`, `langchain-ai/langchain`, and `langflow-ai/langflow`. This PR activity suggests that TrapDoor extends beyond simply pushing malicious packages. **Socket** believes the threat actor is testing whether AI-related project files can be introduced through regular open-source contribution workflows, causing AI coding tools to parse and apply these hidden instructions. **Implications and Recommendations** These findings underscore the increasing trend of threat actors targeting developer workflows to steal sensitive information, enabling deeper penetration into target environments for subsequent attacks. **Socket** concludes, "TrapDoor shows how attackers are combining traditional package typosquatting with newer developer-environment attack paths. The package names are tailored to appear relevant to crypto development, AI tooling, local environment setup, and security workflows. The malware then uses ecosystem-specific execution paths: `build.rs` in Rust, postinstall hooks in npm, and import-time execution in Python."