TrapDoor malware targets npm, PyPI and Crates.io

Socket researchers found more than 34 malicious packages and over 384 published versions across npm, PyPI and Crates.io. The earliest observed activity occurred on May 22, 2026, at 8:20 p.m. UTC. Packages were published in waves from clusters of accounts and were made to resemble legitimate developer tools aimed at crypto, DeFi, Solana and AI developers.

On npm several packages deploy a shared JavaScript payload called trap-core.js. That payload scans hosts for credentials, validates stolen AWS and GitHub tokens using API calls, attempts SSH-based lateral movement and creates persistence with cron jobs, systemd services, Git hooks, shell hooks and planted files. Rust crates use malicious build.rs scripts that search for local keystores, encrypt harvested data with a hardcoded XOR key and exfiltrate results to GitHub Gists. Python packages are designed to auto-execute on import, download a JavaScript payload from an attacker-controlled GitHub Pages domain (ddjidd564.github[.]io) and run it via node -e. Hosting the payload externally allows the actor to change behavior without publishing new releases to the registries.

Identified package names include Crates.io entries such as move-analyzer-build, move-compiler-tools and sui-sdk-build-utils; npm packages including async-pipeline-builder, eth-wallet-sentinel, wallet-security-checker and web3-secrets-detector; and PyPI packages such as cryptowallet-safety and eth-security-auditor. The packages use postinstall hooks, remote script execution at import time and build script execution to trigger payload delivery and data theft.

The campaign also places files named .cursorrules and CLAUDE.md that contain hidden instructions intended to prompt AI coding assistants into running a “security scan” that would reveal secrets. The actor opened pull requests to projects including browser-use/browser-use, langchain-ai/langchain and langflow-ai/langflow to test whether ordinary contribution workflows could introduce those files and be parsed by developer-facing AI tools.

“TrapDoor targets developers in crypto, DeFi, Solana, and AI communities,” Socket researchers wrote. “The malicious packages are designed to steal developer secrets, crypto wallets, SSH keys, cloud credentials, browser data, and environment variables.”

Socket researchers urged security teams and package maintainers to review recently published packages, monitor unusual postinstall or build activity and validate the provenance of tooling introduced into developer environments.