Socket uncovers TrapDoor campaign stealing keys and wallets via open source packages

Socket researchers say the TrapDoor campaign planted credential-stealing payloads in more than 34 packages and 384+ versions, targeting crypto and AI developers.

By ยท Published

Why it matters

Cross-ecosystem package attacks are getting more surgical. TrapDoor blends npm postinstall tricks, PyPI import-time execution, and Rust build.rs hooks to quietly reach AI and crypto developers where secrets live.

Screenshot showing token-usage-tracker  results page

Socket researchers reported an active cross-ecosystem supply chain attack dubbed TrapDoor, with more than 34 malicious packages and 384+ related versions spread across npm, PyPI, and Crates.io, according to a blog post.

The campaign targets developers in crypto, DeFi, Solana, and AI communities, aiming to exfiltrate SSH keys, cloud credentials, GitHub tokens, browser data, and wallet keystores. Socket said some npm packages shipped a shared payload, trap-core.js, that scans for credentials, validates AWS and GitHub tokens, attempts SSH-based lateral movement, and plants persistence via .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH. PyPI packages executed remote JavaScript on import, while Crates.io packages used malicious build.rs scripts to hit Sui and Move developers.

The packages appeared in quick succession starting May 22, 2026, posed as generic developer utilities (for example, names like prompt-engineering-toolkit, solidity-deploy-guard, and llm-context-compressor), and were published by several accounts. Socket noted consistent infrastructure ties, including payloads hosted on a GitHub Pages site tied to the handle ddjidd564 and a recurring marker labeled P-2024-001.

Socket said some packages have been removed while others remained live at the time of writing and published indicators of compromise. The firm framed TrapDoor as low-volume but high-value, tuned to reach developers during routine install, build, and import workflows across ecosystems.

Reader comments

Conversation for this story loads after sign-in.