TrapDoor Strikes npm, PyPI, and Crates.io with Cross-Ecosystem Credential-Stealing Malware
A coordinated TrapDoor campaign targets npm, PyPI, and Crates.io, distributing 34 malicious packages across hundreds of versions to steal developer secrets, crypto wallets, SSH keys, cloud credentials, and environment data. npm payloads run trap-core.js to harvest credentials and establish persistence via cron, systemd, Git hooks, and SSH lateral movement; Rust crates search keystores and exfiltrate data to GitHub Gists; Python packages auto-execute on import and fetch a remote JavaScript payload executed via node -e. The attack also hides instructions in .cursorrules and CLAUDE.md to trick AI tools through PRs, signaling an evolution of developer-workflow attacks across multiple ecosystems.
- TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO The Hacker News
- Mini Shai-Hulud Returns: 42 Malicious npm Packages Fake Sigstore Badges in AntV Ecosystem Attack | Blog Endor Labs
- Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft Microsoft
- Researchers flag TrapDoor malware campaign targeting crypto developer environments including Aptos, Sui and Solana The Block
- Crypto hiring scams are turning developer tools into wallet drains Startup Fortune
Reading Insights
0
5
3 min
vs 4 min read
85%
645 → 98 words
Want the full story? Read the original article
Read on The Hacker News