Verify a decision

{"actor":"system:backfill","investigation_id":"56eb1ee0-9db3-408e-9230-533176068d1b","kind":"publish","page_slug":"trapdoor-supply-chain-attack","published_at":"2026-05-26T18:30:19.069Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"TrapDoor Supply Chain Attack","sections":[{"content":"TrapDoor is a coordinated, multi-ecosystem software supply chain attack campaign detected by security firm Socket in May 2026. The campaign spans npm (21 packages), PyPI (7 packages), and Crates.io (6 packages), totaling more than 34 malicious packages across 384+ published versions. The earliest confirmed artifact is the PyPI package eth-security-auditor@0.1.0, uploaded on May 22, 2026 at 20:20:18 UTC, though analysis of confirmed artifacts suggests the actual campaign start date may be May 19, 2026. Packages were published in coordinated waves from a cluster of attacker-controlled accounts across all three registries. The campaign is attributed to infrastructure operated under the GitHub account ddjidd564. Socket's automated detection flagged packages with a median detection time of 5 minutes 56 seconds, with the fastest detection occurring 58 seconds after publication. As of the time of reporting (May 25–26, 2026), the campaign remained active.","heading":"Campaign Overview","severity":"critical","sources":[{"credibility":2,"name":"TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages — Socket","type":"research","url":"https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates"},{"credibility":1,"name":"TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html"}]},{"content":"The campaign distributed malicious packages across three major open-source registries. On npm, 21 packages were published, with examples including token-usage-tracker, wallet-security-checker, defi-env-auditor, prompt-engineering-toolkit, llm-context-compressor, dev-env-bootstrapper, async-pipeline-builder, crypto-credential-scanner, and solidity-deploy-guard. On PyPI, 7 packages were distributed, including eth-security-auditor, cryptowallet-safety, defi-risk-scanner, and defi-threat-scanner. On Crates.io, 6 packages were published, including sui-move-build-helper, move-compiler-tools, and move-analyzer-build. All packages were designed to impersonate legitimate development utilities, security auditing tools, and build helpers — naming conventions deliberately chosen to appeal to developers working in crypto, DeFi, Solana, and AI/LLM development environments.","heading":"Targeted Ecosystems and Package Distribution","severity":"critical","sources":[{"credibility":2,"name":"TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages — Socket","type":"research","url":"https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates"},{"credibility":2,"name":"TrapDoor Malware Hits npm, PyPI & Crates.io, Steals Crypto Wallets & SSH Keys — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/25/trapdoor-malware-hits-npm-pypi-crates-io-steals-crypto-wallets-ssh-keys/"},{"credibility":2,"name":"Hackers Compromised 34 Packages in npm, PyPI, and Crates in New Supply Chain Attack — CyberSecurityNews","type":"news_article","url":"https://cybersecuritynews.com/supply-chain-trapdoor-malware/"}]},{"content":"The campaign's shared npm payload — trap-core.js, a 1,149-line, 48,485-byte JavaScript file — is the core credential-theft engine. The malware harvests a broad range of developer secrets: SSH private keys (subsequently used for lateral movement into CI/CD and deployment infrastructure), AWS credentials, GitHub tokens, browser profile data and login databases, environment variables and API keys, and cryptocurrency wallet data. Targeted crypto wallets span Sui, Solana, Aptos, Coinbase, Binance, Brave, and MetaMask. The npm payload additionally validates stolen credentials in real-time against AWS and GitHub APIs before exfiltration, confirming credential viability before transmission. Rust/Crates.io packages use a malicious build.rs script to search local keystores, encrypt harvested data with a hardcoded XOR key (cargo-build-helper-2026), and exfiltrate the ciphertext to GitHub Gists. PyPI packages execute malicious code on import, downloading the shared JavaScript payload from the attacker's GitHub Pages domain (ddjidd564.github.io) and executing it locally via Node.js — a technique designed to keep the malicious logic off PyPI's own servers and allow payload updates post-publication.","heading":"Malware Capabilities and Data Harvesting","severity":"critical","sources":[{"credibility":2,"name":"TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages — Socket","type":"research","url":"https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates"},{"credibility":1,"name":"TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html"},{"credibility":2,"name":"TrapDoor Supply Chain Campaign: Cross-Ecosystem Credential Theft and AI Assistant Poisoning — Phoenix Security","type":"research","url":"https://phoenix.security/trapdoor-supply-chain-ai-poisoning-npm-pypi-crates/"}]},{"content":"A novel and technically significant component of the TrapDoor campaign involves the weaponization of AI coding assistant configuration files. The campaign plants hidden malicious instructions inside .cursorrules files (parsed by the Cursor IDE) and CLAUDE.md files (parsed by Claude Code and similar tools) using zero-width Unicode steganography. Specifically, the attacker embeds directives using Unicode characters U+200B (zero-width space), U+200C (zero-width non-joiner), U+200D (zero-width joiner), and U+FEFF (byte-order mark / zero-width no-break space). These characters are invisible in standard text editors and code review interfaces but are processed by AI assistants. The hidden directives instruct the AI to perform what appears to be a legitimate 'security scan' but is in fact a data exfiltration routine targeting SSH keys, AWS credentials, GitHub tokens, browser profiles, and crypto wallets. The attacker's GitHub Pages repository contained design documentation describing the technique as a 'Universal AI Agent Extraction Framework.' To propagate these poisoned configuration files into widely-used codebases, the attacker (GitHub account ddjidd564) opened pull requests against prominent open-source AI and LLM projects under the pretense of adding development standards documentation, using PR titles such as 'docs: add .cursorrules with dev standards and build verification.' Each PR referenced ddjidd564.github.io/defi-security-best-practices/config.json. Targeted repositories included browser-use/browser-use, langchain-ai/langchain, langflow-ai/langflow, run-llama/llama_index, FoundationAgents/MetaGPT, and OpenHands/OpenHands. GitHub's interface detected and flagged the files as containing hidden or bidirectional Unicode text, though the social engineering vector of a documentation PR represents a persistent threat to projects with high contributor volume. Defenders can scan for poisoned configuration files using: grep -rP '[\\x{200B}\\x{200C}\\x{200D}\\x{FEFF}]' . --include='.cursorrules'","heading":"AI Coding Assistant Poisoning via .cursorrules and CLAUDE.md","severity":"critical","sources":[{"credibility":2,"name":"TrapDoor Supply Chain Campaign: Cross-Ecosystem Credential Theft and AI Assistant Poisoning — Phoenix Security","type":"research","url":"https://phoenix.security/trapdoor-supply-chain-ai-poisoning-npm-pypi-crates/"},{"credibility":2,"name":"TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages — Socket","type":"research","url":"https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates"},{"credibility":1,"name":"TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html"}]},{"content":"The trap-core.js npm payload implements multi-layer persistence on compromised developer machines. Persistence mechanisms include systemd service installation, cron job injection, Git hook modification, and shell configuration file hooks (e.g., .bashrc, .zshrc). SSH keys harvested from infected machines are subsequently repurposed by the attacker to execute automated lateral movement, transforming individual developer workstations into persistent access points for broader corporate and cloud network intrusion. This lateral movement capability is particularly dangerous given that developer machines in crypto and DeFi environments frequently have elevated access to deployment infrastructure, CI/CD pipelines, and production smart contract wallets.","heading":"Persistence and Lateral Movement","severity":"critical","sources":[{"credibility":2,"name":"TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages — Socket","type":"research","url":"https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates"},{"credibility":1,"name":"TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html"}]},{"content":"The campaign infrastructure is centralized around the GitHub account ddjidd564. The attacker hosted payload delivery and configuration on the domain ddjidd564.github.io, with the primary payload server at ddjidd564.github.io/defi-security-best-practices/. A campaign marker, P-2024-001, appears consistently across components. The attacker created eight additional GitHub repositories under this account, including lure projects themed around AI and DeFi security (env-security-scanner, smart-contract-audit-toolkit, defi-profit-scanner) and malware infrastructure documentation files (AUDIT-MATRIX.md, BYPASS.md, PAYLOAD.md, SWARM.md — the last suggesting a potential botnet or swarm-based architecture). Additional attacker-controlled publishing accounts include npm user asdxzxc and PyPI users asdmini67 and dae5411. No prior attribution to a known threat actor group has been publicly established. The campaign shares a name with an unrelated Android ad-fraud campaign from a prior period; researchers have confirmed no connection between the two.","heading":"Attacker Infrastructure and Attribution","severity":"high","sources":[{"credibility":2,"name":"TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages — Socket","type":"research","url":"https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates"},{"credibility":2,"name":"TrapDoor Supply Chain Attack Actively Exploiting npm, PyPI, and CratesIO — Rescana","type":"research","url":"https://www.rescana.com/post/trapdoor-supply-chain-attack-actively-exploiting-npm-pypi-and-cratesio-to-steal-developer-credentials-in-crypto-defi-sol"}]},{"content":"Key indicators of compromise (IOCs) identified by researchers include the following. Network infrastructure: ddjidd564.github.io and ddjidd564.github.io/defi-security-best-practices/. Payload file: trap-core.js (48,485 bytes, SHA details not publicly released at time of reporting). XOR encryption key (Crates.io payloads): cargo-build-helper-2026. Campaign marker string: P-2024-001. Attacker GitHub account: ddjidd564. Attacker npm account: asdxzxc. Attacker PyPI accounts: asdmini67, dae5411. Filesystem artifacts: .cursorrules or CLAUDE.md files containing zero-width Unicode characters (U+200B, U+200C, U+200D, U+FEFF). Persistence artifacts: unexpected entries in crontab, systemd services, Git hooks, or shell configuration files. Package name patterns: packages with names suggesting security scanning, audit, DeFi risk analysis, or developer environment bootstrapping published to npm, PyPI, or Crates.io shortly after May 19, 2026.","heading":"Indicators of Compromise","severity":"high","sources":[{"credibility":2,"name":"TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages — Socket","type":"research","url":"https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates"},{"credibility":2,"name":"TrapDoor Supply Chain Campaign: Cross-Ecosystem Credential Theft and AI Assistant Poisoning — Phoenix Security","type":"research","url":"https://phoenix.security/trapdoor-supply-chain-ai-poisoning-npm-pypi-crates/"}]},{"content":"No specific victim organizations or confirmed financial losses have been publicly reported as of May 26, 2026. The campaign's scope — 34 packages, 384+ versions, targeting crypto wallet keys for Sui, Solana, and Aptos networks alongside AWS and GitHub credentials — suggests the potential for significant downstream financial and infrastructure impact if any packages were installed in production developer environments. The targeting of CI/CD-adjacent developer machines and the SSH-based lateral movement capability means that a single compromise could cascade into broader infrastructure access. The PR campaign against LangChain, LlamaIndex, MetaGPT, OpenHands, and browser-use represents an attempted downstream poisoning of projects with large developer user bases.","heading":"Scope and Impact","severity":"high","sources":[{"credibility":1,"name":"TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html"},{"credibility":2,"name":"TrapDoor attack targets crypto wallets, AWS keys and GitHub tokens — CoinJournal","type":"news_article","url":"https://coinjournal.net/news/trapdoor-attack-targets-crypto-wallets-aws-keys-and-github-tokens/"},{"credibility":2,"name":"TrapDoor Malware Steals Crypto Wallet Keys From Developers — Bitcoin Foundation","type":"news_article","url":"https://bitcoinfoundation.org/news/crimes-and-fraud-news/trapdoor-malware/"}]}],"sources_used":[{"credibility":2,"name":"TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages — Socket","type":"research","url":"https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates"},{"credibility":1,"name":"TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html"},{"credibility":2,"name":"TrapDoor Malware Hits npm, PyPI & Crates.io, Steals Crypto Wallets & SSH Keys — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/25/trapdoor-malware-hits-npm-pypi-crates-io-steals-crypto-wallets-ssh-keys/"},{"credibility":2,"name":"TrapDoor Supply Chain Campaign: Cross-Ecosystem Credential Theft and AI Assistant Poisoning — Phoenix Security","type":"research","url":"https://phoenix.security/trapdoor-supply-chain-ai-poisoning-npm-pypi-crates/"},{"credibility":2,"name":"Hackers Compromised 34 Packages in npm, PyPI, and Crates in New Supply Chain Attack — CyberSecurityNews","type":"news_article","url":"https://cybersecuritynews.com/supply-chain-trapdoor-malware/"},{"credibility":2,"name":"TrapDoor Supply Chain Attack Actively Exploiting npm, PyPI, and CratesIO — Rescana","type":"research","url":"https://www.rescana.com/post/trapdoor-supply-chain-attack-actively-exploiting-npm-pypi-and-cratesio-to-steal-developer-credentials-in-crypto-defi-sol"},{"credibility":2,"name":"TrapDoor attack targets crypto wallets, AWS keys and GitHub tokens — CoinJournal","type":"news_article","url":"https://coinjournal.net/news/trapdoor-attack-targets-crypto-wallets-aws-keys-and-github-tokens/"},{"credibility":2,"name":"TrapDoor Malware Steals Crypto Wallet Keys From Developers — Bitcoin Foundation","type":"news_article","url":"https://bitcoinfoundation.org/news/crimes-and-fraud-news/trapdoor-malware/"},{"credibility":2,"name":"TrapDoor: 34 Malicious Packages Stole Crypto Wallet Keys and SSH Credentials Across npm, PyPI, and Crates.io — Prismor Security","type":"research","url":"https://prismor.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates"},{"credibility":2,"name":"Hackers Compromise 34 npm, PyPI, and Crates Packages in Major Supply Chain Attack — GBHackers","type":"news_article","url":"https://gbhackers.com/hackers-compromise-34-npm-pypi-and-crates-packages/"}],"summary":"TrapDoor is an active cross-ecosystem software supply chain attack campaign first observed on May 22, 2026, distributing credential-stealing malware across 34+ malicious packages and 384+ artifact versions on npm, PyPI, and Crates.io. The campaign targets crypto, DeFi, Solana, and AI developers to steal cryptocurrency wallet keystores, SSH keys, AWS credentials, GitHub tokens, and browser secrets. A novel component of the campaign plants hidden instructions inside .cursorrules and CLAUDE.md files — using zero-width Unicode steganography — to manipulate AI coding assistants such as Cursor and Claude Code into performing covert data exfiltration routines disguised as security scans.","timeline":[{"date":"2026-05-19","event":"Alleged earliest campaign activity based on artifact analysis, predating the first widely-reported date by three days.","source":"Socket research blog","source_url":"https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates"},{"date":"2026-05-22","event":"First confirmed malicious package published: eth-security-auditor@0.1.0 on PyPI at 20:20:18 UTC. Coordinated wave publications begin across npm, PyPI, and Crates.io.","source":"Socket research blog","source_url":"https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates"},{"date":"2026-05-22","event":"Attacker GitHub account ddjidd564 opens pull requests against browser-use/browser-use, langchain-ai/langchain, langflow-ai/langflow, run-llama/llama_index, FoundationAgents/MetaGPT, and OpenHands/OpenHands, submitting poisoned .cursorrules and CLAUDE.md files under the guise of documentation PRs.","source":"Phoenix Security research","source_url":"https://phoenix.security/trapdoor-supply-chain-ai-poisoning-npm-pypi-crates/"},{"date":"2026-05-22","event":"Socket detects campaign with median automated detection time of 5 minutes 56 seconds across 381 package versions; fastest single detection: 58 seconds post-publication.","source":"Socket research blog","source_url":"https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates"},{"date":"2026-05-25","event":"CryptoTimes and other outlets publish public reporting on the TrapDoor campaign. Total scope confirmed at 34+ packages and 384+ versions across three registries.","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/05/25/trapdoor-malware-hits-npm-pypi-crates-io-steals-crypto-wallets-ssh-keys/"},{"date":"2026-05-25","event":"The Hacker News and CyberSecurityNews publish detailed technical breakdowns of the cross-ecosystem campaign, including the AI assistant poisoning component.","source":"The Hacker News","source_url":"https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html"},{"date":"2026-05-26","event":"Campaign reported as still active. No registry-level takedown confirmations or law enforcement actions publicly announced.","source":"Multiple security outlets","source_url":"https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates"}]},"v":1}