The Bottom Line: TrapDoor campaign distributes credential-stealing malware across npm, PyPI, and Crates.io. Over 34 malware-infected packages in 384 versions identified. Targets: developers in crypto, DeFi, Solana, and AI sectors. Malware steals secrets, wallets, SSH keys, and cloud credentials.
A large-scale cyberattack campaign named TrapDoor has infiltrated multiple package manager platforms and distributed malware to steal access credentials. The attack encompasses over 34 malicious packages in more than 384 versions and targets developers in crypto, DeFi, Solana, and AI communities.
A coordinated supply-chain attack codenamed TrapDoor has compromised the package manager ecosystems npm, PyPI, and Crates.io. The campaign comprises over 34 malicious packages distributed across more than 384 different versions.
The first documented activity occurred on May 22, 2026 at 20:20 UTC, when fresh packages were released in waves across all ecosystems in rapid succession by a group of accounts.
According to security platform Socket, TrapDoor specifically targets developers in the areas of cryptocurrencies, decentralized finance (DeFi), Solana, and artificial intelligence. The malicious packages were designed to steal sensitive developer secrets, including:
– Cryptocurrency wallets
– SSH keys
– Cloud login credentials
– Browser information
– Environment variables
Particularly concerning is the common payload named “trap-core,” which is deployed in multiple npm packages. This JavaScript component scans systems for credentials, checks AWS and GitHub tokens, attempts lateral movement via SSH, and establishes persistent presence on compromised systems.