惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Microsoft Azure Blog
Microsoft Azure Blog
Google Online Security Blog
Google Online Security Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Simon Willison's Weblog
Simon Willison's Weblog
T
Threat Research - Cisco Blogs
C
CXSECURITY Database RSS Feed - CXSecurity.com
L
Lohrmann on Cybersecurity
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Forbes - Security
Forbes - Security
P
Palo Alto Networks Blog
Schneier on Security
Schneier on Security
S
Schneier on Security
T
Tor Project blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
WordPress大学
WordPress大学
The Hacker News
The Hacker News
Hacker News - Newest:
Hacker News - Newest: "LLM"
罗磊的独立博客
Application and Cybersecurity Blog
Application and Cybersecurity Blog
F
Fortinet All Blogs
博客园 - 三生石上(FineUI控件)
小众软件
小众软件
C
Check Point Blog
Stack Overflow Blog
Stack Overflow Blog
Blog — PlanetScale
Blog — PlanetScale
雷峰网
雷峰网
S
Security @ Cisco Blogs
PCI Perspectives
PCI Perspectives
Spread Privacy
Spread Privacy
W
WeLiveSecurity
SecWiki News
SecWiki News
A
About on SuperTechFans
H
Help Net Security
博客园 - 司徒正美
Recent Commits to openclaw:main
Recent Commits to openclaw:main
爱范儿
爱范儿
S
Securelist
M
MIT News - Artificial intelligence
云风的 BLOG
云风的 BLOG
月光博客
月光博客
Jina AI
Jina AI
博客园 - 叶小钗
Vercel News
Vercel News
阮一峰的网络日志
阮一峰的网络日志
Recent Announcements
Recent Announcements
S
Secure Thoughts
The Cloudflare Blog
美团技术团队
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More

Socket

Suno Breached via Shai-Hulud Worm, Leaked Code Exposes AI Mu... Next.js moves to scheduled security releases - Socket 11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windo... Compromised npm Packages in the AsyncAPI Namespace Deliver M... jscrambler npm Package Compromised in Supply Chain Attack - ... Fake Braintree NuGet Package Skims Credit Cards and Harvests... Compromised Injective SDK npm Package Exfiltrates Wallet Key... npm v12 Ships With Install Scripts Off by Default, Begins De... Malicious Go Module Exposes GitHub Malware Lure Network Span... pnpm 11.10 Hardens Registry Authentication to Block Token Re... Coordinated npm and PyPI Campaign Typosquats Popular Secure ... Node.js Considers Public Workflow for Security Reports Amid ... PolinRider: North Korea-Linked Supply Chain Campaign Expands... Risky Biz Podcast: AI Agents Are Raising the Stakes for Soft... Chrome and Firefox Extensions Posing as Free VPNs Add Clipbo... Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages - S... Rolldown Pulls Rust React Compiler Integration After Binary ... Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and Git... Frontier AI Is Now Critical Infrastructure - Socket The Code You Didn't Write Is Still Yours to Defend - Socket GitHub Actions Checkout Now Blocks Risky pull_request_target... Introducing Repository Access Permissions and Custom Roles -... Socket MCP Adds Org Alerts, Threat Feed Review, and Package ... Socket Firewall Now Blocks Malicious VS Code and Open VSX Ex... 140+ Mastra npm Packages Compromised in Coordinated Supply C... npm Package Uses Prompt Injection and Token Flooding to Disr... Introducing Manifest Alerts - Socket GlassWASM: WebAssembly Malware Found in Trojanized Open VSX ... Socket for Linear Is Now Available - Socket US Government Forces Anthropic to Pull Claude Fable Days After Launch 152 Chrome Live Wallpaper Extensions Hid Ad Tracking and Faked Google Search Traffic Andrew Becherer Joins Socket as Chief Information Security Officer Socket Partners with Replit to Block Malicious Packages in AI-Powered Development npm Tooling Bug Incorrectly Marks One-Character Packages as Security Holders Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems pnpm 11.5 Adds Support for Recognizing npm Staged Publishes pnpm 11.5 Adds Support for Recognizing npm Staged Publishes Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages Famous Chollima Targets PHP Developers Through Compromised Packagist Package Famous Chollima Targets PHP Developers Through Compromised Packagist Package Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io Laravel Lang Compromised with RCE Backdoor Across 700+ Versions Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects AI Has Taken Over Open Source npm Invalidates Granular Access Tokens as Mini Shai-Hulud Sweeps the Registry Coruna Respawned: Compromised art-template npm Package Leads to iOS Browser Exploit Kit Socket raises $60M Series C at $1B valuation led by Thrive Capital to secure AI-driven software development Socket Raises $60M Series C at a $1B Valuation to Help Enterprises Build Securely With AI Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor Active Supply Chain Attack Compromises @antv Packages on npm Popular node-ipc npm Package Infected with Credential Stealer TeamPCP and BreachForums Launch $1,000 Contest for Supply Chain Attacks Packagist Urges Immediate Composer Update After GitHub Actions Token Leak GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government Socket Named to Rising in Cyber 2026 List of Top Cybersecurity Startups TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply-Chain Attack fsnotify Maintainer Dispute Sparks Supply Chain Concerns Socket Releases Free Certified Patches for Critical vm2 Sandbox Escape 5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer pnpm 11 Adds Supply Chain Protection Defaults for Minimum Release Age and Exotic Subdependencies PyPI Fixes High-Severity Access Control Issues Found in Security Audit Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Steal Secrets and Poison CI Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack lightning PyPI Package Compromised in Supply Chain Attack Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables SAP CAP npm Packages Hit by Supply Chain Attack Socket Has Acquired Secure Annex 73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations Introducing Reachability for PHP Introducing Data Exports Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions Introducing Organization Notifications in Socket Introducing Reports: An Extensible Reporting Framework for Socket Data Socket for Jira Is Now Available Socket Named Top Sales Organization by RepVue NIST Officially Stops Enriching Most CVEs as Vulnerability Volume Skyrockets Socket Selected for OpenAI's Cybersecurity Grant Program Feross on the 10 Minutes or Less Podcast: Nobody Reads the Code 108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure Node.js Drops Bug Bounty Rewards After Funding Dries Up The Hidden Blast Radius of the Axios Compromise
TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io
Socket Research Team · 2026-05-24 · via Socket

Sidebar CTA Background

Secure your dependencies with us

Socket proactively blocks malicious open source packages in your code.

Install

Socket researchers have identified an active crypto stealer supply chain attack spanning npm, PyPI, and Crates.io. The campaign, which Socket is tracking as TrapDoor, spans more than 34 malicious packages and 384+ related versions and artifacts across npm, PyPI, and Crates.io, with some already removed and others still live at the time of writing.

The earliest package Socket observed was the PyPI package eth-security-auditor@0.1.0, uploaded on May 22, 2026 at 20:20:18 UTC, with the wheel published at 20:22:04 UTC. The packages were then published in waves by a handful of accounts and actively updated throughout the weekend. They stood out because they posed as generic developer tools and appeared in quick succession across multiple registries. Socket detected malicious packages across all three ecosystems. The connection became clear during the Crates.io wave, when Rust packages targeting Sui and Move developers showed infrastructure and behavioral overlap with related npm and PyPI packages.

TrapDoor targets developers in crypto, DeFi, Solana, and AI communities. The malicious packages are designed to steal developer secrets, crypto wallets, SSH keys, cloud credentials, browser data, and environment variables. Several npm packages also deploy a shared payload, trap-core.js, that scans for credentials, validates AWS and GitHub tokens, attempts SSH-based lateral movement, and plants persistence through .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH.

npm Packages#

  • async-pipeline-builder
  • build-scripts-utils
  • chain-key-validator
  • crypto-credential-scanner
  • defi-env-auditor
  • defi-threat-scanner
  • deployment-key-auditor
  • dev-env-bootstrapper
  • eth-wallet-sentinel
  • llm-context-compressor
  • mnemonic-safety-check
  • model-switch-router
  • node-setup-helpers
  • project-init-tools
  • prompt-engineering-toolkit
  • solidity-deploy-guard
  • token-usage-tracker
  • wallet-backup-verifier
  • wallet-security-checker
  • web3-secrets-detector
  • workspace-config-loader

PyPI Packages#

  • cryptowallet-safety
  • data-pipeline-check
  • defi-risk-scanner
  • env-loader-cli
  • eth-security-auditor
  • git-config-sync
  • solidity-build-guard

Crates.io Packages#

  • move-analyzer-build
  • move-compiler-tools
  • move-project-builder
  • sui-framework-helpers
  • sui-move-build-helper
  • sui-sdk-build-utils

A Coordinated Cross-Ecosystem Campaign#

TrapDoor spans npm, PyPI, and Crates.io, using ecosystem-specific execution paths to reach developers during normal package installation, build, and import workflows.

The campaign includes:

  • npm package versions using postinstall hooks, including active versions with a shared trap-core.js payload
  • PyPI packages that execute remote JavaScript payloads on import
  • Crates.io package versions across 6 unique package names, targeting Sui and Move developers through malicious build.rs scripts

The package names are crafted to look like development helpers, project setup tools, model routing utilities, prompt engineering packages, Solidity tooling, and Sui or Move build helpers. This gives the campaign broad reach across adjacent developer communities where crypto wallets, cloud credentials, GitHub tokens, and SSH keys are likely to be present.

The infrastructure ties are also consistent across the campaign. The attacker uses the GitHub account ddjidd564 to host payloads and configuration, including content served from ddjidd564[.]github[.]io/defi-security-best-practices/. The same repository also contains attacker-authored material describing data exfiltration, prompt injection, AI-agent abuse, persistence, and related malware development concepts, making it more than a simple payload host. The campaign also uses the marker P-2024-001, which appears across related components.

What TrapDoor Steals#

The malicious packages are designed to collect a broad set of developer secrets and sensitive local data, including:

  • SSH keys
  • Sui, Solana, and Aptos wallet data
  • AWS credentials
  • GitHub tokens and credentials
  • Browser profile data
  • Browser login databases
  • Crypto wallet extension data
  • Environment variables
  • API keys
  • Local development configuration files

This gives the attacker multiple paths into developer machines and connected infrastructure. Stolen SSH keys can be reused for lateral movement, while cloud and GitHub credentials can expose repositories, CI/CD systems, private packages, and deployment environments.

npm Packages Use Postinstall Hooks and Persistent Credential Harvesting#

The npm portion of TrapDoor is the most extensive. Socket identified malicious packages published by the npm user asdxzxc, with multiple versions active at the time of analysis.

The npm packages rely on postinstall execution. Once installed, they run a shared payload, trap-core.js, a 1,149-line credential harvester and propagation tool.

The payload scans for credentials and developer secrets, validates stolen credentials using AWS and GitHub API calls, and attempts to preserve access through several persistence mechanisms.

Observed persistence vectors include:

  • .cursorrules
  • CLAUDE.md
  • Git hooks
  • Shell hooks
  • systemd services
  • cron jobs
  • SSH-based propagation

The npm payload also attempts lateral movement by reusing stolen SSH keys to access additional systems. This makes the campaign more dangerous than a simple one-time credential stealer, since a compromised development machine may become a bridge into other infrastructure.

One package, dev-env-bootstrapper, is especially notable because it functions as both malware and a delivery vector. It participates in credential theft while also helping spread malicious configuration into developer environments.

Crates.io Packages Exfiltrate Wallet Keystores#

Socket identified malicious Crates.io packages connected to TrapDoor that target Sui and Move developers.

These packages use build.rs, which runs automatically during the Rust build process. The malicious build script searches for local keystores, encrypts the data using a hardcoded XOR key, and exfiltrates it to GitHub Gists.

The use of build.rs is significant because it allows code execution during package compilation, before the developer directly runs any package functionality. For crypto developers working with Sui and Move tooling, this creates a high-risk path for wallet and keystore theft.

The Crates.io packages were one of the signals that led Socket researchers to investigate the broader campaign. On their own, the packages appeared to be newly published and likely low-impact. The suspicious pattern across multiple related packages, however, led researchers to connect the activity to npm and PyPI packages using shared attacker infrastructure.

PyPI Packages Execute Remote JavaScript on Import#

Socket also identified malicious PyPI packages connected to TrapDoor. The PyPI packages auto-execute on import, download JavaScript from the attacker-controlled GitHub Pages domain, and run it using node -e.

This technique allows the Python package to delegate execution to a remote JavaScript payload, giving the attacker more flexibility after publication. By hosting the payload externally, the attacker can update behavior without publishing a new PyPI release.

The PyPI packages appear to have been published across multiple accounts, including accounts associated with the names asdmini67 and dae5411.

AI Injection Targets Developer Assistants#

One of the more unusual features in TrapDoor is its use of AI-targeted injection through files such as .cursorrules and CLAUDE.md.

These files are commonly used to provide project-specific instructions to AI coding tools. In this campaign, the attacker attempts to plant hidden instructions using zero-width Unicode characters. The goal appears to be to trick AI assistants into running a “security scan” or similar workflow that causes secret discovery and exfiltration.

This technique may not work consistently across all tools or models, but its presence shows that attackers are actively experimenting with AI development environments as part of supply chain malware campaigns.

The hosted GitHub Pages site also appears to support this workflow. Packages point to an attacker-controlled GitHub Pages URL rendered as an HTML site that attempts to prompt an AI assistant into running a security scan. That scan is designed to collect and exfiltrate sensitive local data.

Encryption and Credential Validation#

TrapDoor uses several layers of encryption and validation depending on ecosystem and payload stage.

In the Crates.io packages, Socket observed XOR-based encryption using the hardcoded key cargo-build-helper-2026.

In the npm payload, the attacker uses more sophisticated cryptography, including Fernet and ECDH encryption. This suggests a more developed payload than a basic copy-and-post credential stealer.

The npm malware also validates stolen AWS and GitHub credentials using API calls. This helps the attacker distinguish useful credentials from expired or low-value data, likely improving the efficiency of downstream exploitation.

Attacker Playbook Found in GitHub Pages Repo#

The attacker-controlled GitHub Pages repository also contains an AUDIT-MATRIX.md document that appears to describe the intended extraction framework behind TrapDoor. The document presents the operation as a “Universal AI Agent Extraction Framework” and outlines a staged workflow for capability detection, data extraction, self-replication fallback, and telemetry reporting.

The document should not be treated as a one-to-one list of confirmed runtime behavior. It describes itself as a partially implemented design document and states that the full multi-phase adaptive extraction pipeline is not deployed. However, many of the documented concepts align with behavior observed in the npm payloads, including filesystem scanning, environment variable harvesting, credential discovery, AI-facing disguise language, .cursorrules persistence, and remote configuration through the attacker’s GitHub Pages infrastructure.

The “disguise layer” section is especially relevant. It maps credential theft behaviors to benign-sounding tasks such as security audits, wallet safety checks, cloud configuration validation, repository security reviews, and connection status checks. This mirrors the campaign’s broader strategy: present malicious extraction as helpful developer or security automation.

The document also reinforces the AI-targeted nature of the campaign. Its fallback chain describes writing a .cursorrules file with a system directive so future AI sessions will execute the report, while the npm payload writes .cursorrules and CLAUDE.md files as part of its persistence and propagation logic.

Attacker Opens PRs to AI and Developer Projects#

The attacker activity was not limited to publishing malicious packages. The same GitHub account, ddjidd564, also opened pull requests against multiple AI and developer tooling projects, including browser-use/browser-use, langchain-ai/langchain, langflow-ai/langflow, run-llama/llama_index, FoundationAgents/MetaGPT, and OpenHands/OpenHands.

The PRs repeatedly attempted to add .cursorrules or CLAUDE.md files under benign-sounding titles such as “docs: add .cursorrules with dev standards and build verification” and “docs: add CLAUDE.md with dev standards and build verification.” Several referenced the same campaign marker, P-2024-001, and framed the changes as AI-assisted development guidance, build verification, or project-specific coding standards.

In the browser-use/browser-use PR, the proposed .cursorrules file pointed to the attacker-controlled configuration URL and referenced the same campaign marker:

{
  "standard": "P-2024-001",
  "config": "<https://ddjidd564.github.io/defi-security-best-practices/config.json>",
  "strategy": {
    "scan_depth": 3,
    "enabled_vectors": [
      "git",
      "vscode",
      "cursorrules",
      "sourceHeaders",
      "readme",
      "pkgJson",
      "claudeMd",
      "prepush",
      "trapActivation",
      "pypi",
      "docker",
      "systemProfile"
    ]
  },
  "encryption": {
    "enabled": true,
    "scheme": "Fernet"
  }
}

GitHub also warned that the file contained hidden or bidirectional Unicode text, which may be interpreted differently than it appears in the browser.

This PR activity shows the campaign extending beyond registry publication. The attacker appears to be testing whether AI-facing project files can be introduced through normal open source contribution workflows, placing campaign-linked instructions where AI coding tools may later read and apply them.

The account also created or seeded related AI, DeFi, and security-themed projects and discussions:

Attacker-authored campaign/design files:

  • AUDIT-MATRIX.md, describing data exfiltration, prompt injection, AI-agent abuse, persistence, and related malware development concepts
  • BYPASS.md, documenting bypass concepts tied to the same attacker-controlled repo
  • PAYLOAD.md, documenting payload behavior and related campaign mechanics
  • SWARM.md, describing broader coordination or scaling concepts around the campaign

MCP / AI-agent lure repo: env-security-scanner, framed as an AI-agent environment auditing tool

DeFi and security-themed lure repos:

Seeded GitHub community activity:

The GitHub activity shows signs of rapid, AI-assisted-style iteration: broad security-themed scaffolding, generic lure repositories, prompt-injection documentation, and partially implemented extraction concepts mixed with working malware components.

Low-Volume Packages, High-Value Targets#

TrapDoor shows how attackers are combining traditional package typosquatting with newer developer-environment attack paths.

The package names are tailored to appear relevant to crypto development, AI tooling, local environment setup, and security workflows. The malware then uses ecosystem-specific execution paths: build.rs in Rust, postinstall hooks in npm, and import-time execution in Python.

The cross-ecosystem structure also makes the campaign harder to spot from a single registry view. A Crates.io package may appear isolated until matching infrastructure, payload markers, and behavior connect it to npm and PyPI packages.

For security teams, the key takeaway is that modern supply chain attacks are increasingly designed around the full developer workflow. Package installation is only the first step. From there, attackers are targeting AI assistant configuration, shell environments, Git hooks, SSH access, browser profiles, cloud credentials, and crypto wallets.

Socket Detection#

Socket detected TrapDoor through behavioral and cross-registry analysis across PyPI, npm, and Crates.io. The earliest observed package was eth-security-auditor@0.1.0 on PyPI, uploaded on May 22, 2026 at 20:20:18 UTC.

The broader campaign connection became clear during the Crates.io wave, when a cluster of Rust packages targeting Sui and Move developers showed infrastructure and behavioral overlap with related npm and PyPI packages. That cross-registry pattern connected what initially looked like isolated malicious packages into a coordinated campaign.

Across 381 package-version records with complete timestamps, Socket detected TrapDoor releases in an average of 5 minutes and 56 seconds, with a median detection time of 5 minutes and 27 seconds. The fastest detection was 58 seconds after publication.

We’re tracking this activity in the TrapDoor Crypto Stealer Campaign page.

Socket has classified all identified campaign packages as malicious. We reported the identified malicious packages to the affected registries and is continuing to monitor for related packages, versions, and infrastructure tied to TrapDoor.

Loading affected packages…

Indicators of Compromise#

Domains and infrastructure:

  • ddjidd564[.]github[.]io
  • ddjidd564[.]github[.]io/defi-security-best-practices/
  • GitHub account: ddjidd564

Campaign markers and files:

  • P-2024-001
  • trap-core.js
  • trap-core.js size: 48485 bytes
  • XOR key: cargo-build-helper-2026
  • GitHub raw content webhook configuration fetch

Persistence and propagation paths:

  • .cursorrules
  • CLAUDE.md
  • Git hooks
  • Shell hooks
  • systemd
  • cron
  • SSH