A coordinated supply chain campaign tracked as TrapDoor has seeded more than 34 malicious packages — across 384-plus versions and artifacts — into npm, PyPI, and Crates.io, stealing developer credentials, crypto wallets, SSH keys, and cloud secrets. Socket published its analysis on May 24, 2026; The Hacker News corroborated it on May 25. The campaign is unrelated to the Android ad-fraud operation of the same name that HUMAN detailed last week.
What Happened
The earliest artifact Socket observed was the PyPI package [email protected], uploaded May 22, 2026 at 20:20 UTC. Packages then went up in waves from a cluster of accounts and were updated through the weekend. They pose as developer tooling — environment loaders, wallet checkers, build helpers, prompt-engineering kits — aimed squarely at developers in the crypto, DeFi, Solana, and AI communities, where wallets, cloud keys, GitHub tokens, and SSH keys are likely to sit on disk.
What ties the campaign together is shared infrastructure: a GitHub account, ddjidd564, hosts payloads and configuration at ddjidd564.github[.]io/defi-security-best-practices/, and the marker string P-2024-001 recurs across components.
Technical Details
TrapDoor uses a different execution path in each ecosystem, all of which fire during normal install, build, or import workflows.
npm is the most developed. Packages published by the user asdxzxc rely on postinstall hooks that run a shared 1,149-line payload, trap-core.js. It scans for credentials and developer secrets, validates stolen AWS and GitHub tokens via live API calls to weed out dead credentials, and attempts SSH-based lateral movement by reusing harvested keys. It uses Fernet and ECDH encryption — more sophisticated than a basic copy-and-post stealer — and plants persistence through .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd services, and cron jobs. One package, dev-env-bootstrapper, doubles as both stealer and a delivery vector for malicious configuration.
Crates.io packages target Sui and Move developers through malicious build.rs scripts, which execute during cargo build — before a developer ever calls package code. They locate local keystores, XOR-encrypt the data with the hardcoded key cargo-build-helper-2026, and exfiltrate to GitHub Gists.
PyPI packages auto-execute on import, pull JavaScript from the attacker’s GitHub Pages domain, and run it with node -e. Hosting the payload remotely lets the attacker change behavior without publishing a new release.
The standout technique is AI-assistant injection. TrapDoor plants .cursorrules and CLAUDE.md files containing hidden instructions written with zero-width Unicode characters, designed to trick AI coding assistants into running a “security scan” that discovers and exfiltrates secrets. The attacker also opened pull requests against high-profile projects — including langchain-ai/langchain, langflow-ai/langflow, browser-use/browser-use, run-llama/llama_index, and OpenHands/OpenHands — under benign titles like “docs: add .cursorrules with dev standards.” GitHub flagged the files for hidden bidirectional Unicode. An AUDIT-MATRIX.md document in the attacker’s repo describes the operation as a “Universal AI Agent Extraction Framework,” mapping credential theft to benign-sounding tasks like “wallet safety checks” and “repository security reviews.”
Impact
Any machine that installed an npm package, built a Rust crate, or imported a Python module from this campaign should be treated as compromised, not merely exposed. Stolen SSH keys enable lateral movement; stolen cloud and GitHub credentials expose repositories, CI/CD systems, private packages, and deployment environments. The AI-injection vector adds a slower-burning risk: a planted .cursorrules or CLAUDE.md file can sit dormant in a repo until an AI assistant parses it later.
What To Do Now
Audit package-lock.json, requirements.txt/poetry.lock, and Cargo.lock against the package names below and block any matches. Treat affected hosts and CI runners as compromised: rotate AWS/cloud credentials, GitHub and npm tokens, SSH keys, and any crypto wallet keys reachable from those machines. Grep repositories for unexpected .cursorrules and CLAUDE.md files, and inspect them for zero-width or bidirectional Unicode — git diff and editors with “show invisibles” enabled will surface what a browser hides. Review any recent PRs that add AI-assistant config files. Check for persistence: rogue cron jobs, systemd units, Git hooks, and shell-rc modifications.
Indicators of Compromise
- GitHub account:
ddjidd564; payload host:ddjidd564.github[.]io/defi-security-best-practices/ - Campaign marker:
P-2024-001 - npm payload:
trap-core.js(48,485 bytes); publisher accountasdxzxc - Crates.io XOR key:
cargo-build-helper-2026; exfiltration via GitHub Gists - PyPI publisher accounts:
asdmini67,dae5411 - Persistence paths:
.cursorrules,CLAUDE.md, Git hooks, shell hooks,systemd,cron, SSH - Affected npm packages: async-pipeline-builder, build-scripts-utils, chain-key-validator, crypto-credential-scanner, defi-env-auditor, defi-threat-scanner, deployment-key-auditor, dev-env-bootstrapper, eth-wallet-sentinel, llm-context-compressor, mnemonic-safety-check, model-switch-router, node-setup-helpers, project-init-tools, prompt-engineering-toolkit, solidity-deploy-guard, token-usage-tracker, wallet-backup-verifier, wallet-security-checker, web3-secrets-detector, workspace-config-loader
- Affected PyPI packages: cryptowallet-safety, data-pipeline-check, defi-risk-scanner, env-loader-cli, eth-security-auditor, git-config-sync, solidity-build-guard
- Affected Crates.io packages: move-analyzer-build, move-compiler-tools, move-project-builder, sui-framework-helpers, sui-move-build-helper, sui-sdk-build-utils