The TrapDoor package attack is a supply-chain operation that spread malicious packages across multiple package registries, including npm, PyPI and Crates.io. Researchers identified more than 34 malicious packages and hundreds of related versions and artifacts tied to the campaign. The campaign targeted developer workstations to steal wallet data for Solana, Sui and Aptos, and to exfiltrate SSH keys, GitHub tokens, cloud credentials and other developer access present on infected machines.
The TrapDoor campaign’s malicious components were written in JavaScript, Python and Rust and were published to multiple package registries including npm, PyPI and Crates.io. Attackers disguised the packages as developer helper tools, security scanners, wallet utilities, Solidity build guards, AI prompt packages and Move build helpers. Many packages used deliberately unremarkable names. The distribution strategy relied on presenting the code as legitimate developer tooling.
Payloads delivered by the packages were capable of stealing wallet data and exfiltrating a range of developer credentials. The malware could capture SSH keys, GitHub tokens, cloud credentials and passwords, and it included routines to test stolen AWS and GitHub tokens for validity. In some cases the campaign left behind files on infected machines to maintain access and persistence. Attackers also embedded project-specific instructions for AI coding tools using files such as .cursorrules and claude.md.
In the npm packages, the malware searched developer workstations for private keys, passwords, GitHub tokens and cloud logins and then attempted to use or validate those credentials. The code attempted lateral movement by using SSH keys to access other systems and by placing files to keep the infection active. The campaign planted hidden instructions using zero-width Unicode characters inside files to trigger fake security scans that exfiltrated secrets. The overall focus of the malware was to target developer workstations and their credentials.
The TrapDoor package attack specifically targets developers working in crypto, decentralized finance (DeFi), artificial intelligence (AI) and security. The campaign used fake tooling packages disguised as developer helpers, security scanners, wallet tools, Solidity utilities, AI prompt packages and Move build helpers, often with deliberately unremarkable names. These packages were distributed across multiple registries and presented as legitimate developer tooling to reach their intended user base.
The attack focused on developer workstations and on data and credentials stored there, including wallet files, SSH keys, GitHub tokens, cloud credentials, browser data and production access. The malware searched machines for private keys, passwords, GitHub tokens and cloud logins and aimed to exfiltrate those artifacts. The campaign sought repository access and other forms of production-level credentials present on infected hosts.
Attackers embedded project-specific instructions for AI coding tools using files such as .cursorrules and claude.md. The campaign also planted hidden instructions using zero-width Unicode characters inside files to trigger fake security scans that exfiltrated secrets. These techniques inserted malicious directives into developer workflows and automated tooling.
Payload behavior included stealing wallet data, exfiltrating credentials and testing stolen AWS and GitHub tokens for validity. The malware left behind files on infected machines to maintain persistence and ongoing access. In several cases the npm components attempted lateral movement by using SSH keys to access other systems and by placing artifacts to keep the infection active.
TrapDoor is a sophisticated supply-chain campaign that propagated malicious packages across major package registries and targeted developer workstations. The campaign sought to exfiltrate developer credentials, wallets and other sensitive artifacts while using deceptive package disguises, hidden instructions for AI coding tools, and persistence files to maintain access. The technical characteristics of the operation underscore the security implications for developer tooling and dependency ecosystems.
