More than 34 malicious packages spanning 384-plus versions hit npm, PyPI and Crates.io in coordinated waves starting May 22, targeting crypto, DeFi, Solana and AI developers.
Socket said the packages steal secrets, wallets, SSH keys, cloud credentials and browser data through ecosystem-specific execution paths: npm postinstall hooks, Python import-time code and Rust build.rs scripts.
Several npm packages deploy trap-core.js to validate AWS and GitHub tokens, move laterally over SSH and persist via cron, systemd, Git hooks, shell hooks, .cursorrules and CLAUDE.md files.
Python packages fetch remote JavaScript from an attacker-controlled GitHub Pages site, while Rust crates exfiltrate encrypted keystore data to GitHub Gists, letting operators update behavior without republishing.
GitHub pull requests against projects including LangChain and Langflow suggest the campaign also probes AI-assisted developer workflows, extending beyond package registries into open-source contribution channels.
How are attackers weaponizing AI coding assistants to steal secrets from their own users?
With one attack hitting three code ecosystems, is any developer's environment truly safe?
TrapDoor Supply Chain Breach: AI and Crypto Projects Threatened by 34 Malicious Packages in npm, PyPI, and Rust Registries
Overview
In May 2026, the TrapDoor campaign emerged as a sophisticated and large-scale supply chain attack, infiltrating the software development ecosystem. By embedding malicious code within widely used packages, it created a severe and immediate threat to both cryptocurrency and AI projects. The attack was first flagged by security firm Socket and traced back to a significant GitHub breach, where an attacker used deceptive pull requests to inject poisoned configuration files into major open-source AI projects. This pervasive risk now threatens the entire industry, highlighting the urgent need for vigilant security practices and rapid response.