TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO

A new coordinated cross-ecosystem software supply chain attack campaign has targeted npm, PyPI, and Crates.io to distribute credential-stealing malware. The campaign, codenamed TrapDoor, spans more than 34 malicious packages across over 384 versions. The earliest activity was recorded on May 22, 2026, at 8:20 p.m. UTC, with new packages published to the ecosystems in waves from a cluster of

According to the report, the TrapDoor campaign is a coordinated cross-ecosystem software supply chain attack that plants over 34 malicious packages across npm, PyPI, and Crates.io to steal developer credentials, crypto wallets, cloud keys, and other secrets, with tailored lures for crypto, DeFi, Solana, and AI tooling communities.[1][4] The attackers use ecosystem-specific execution paths (npm postinstall, Python import-time execution, Rust build.rs) and persistence mechanisms (cron, systemd, Git hooks, SSH lateral movement) to harvest secrets at scale and exfiltrate them via attacker-controlled infrastructure.[1][3][4] Notably, TrapDoor embeds hidden instructions in files such as .cursorrules and CLAUDE.md using zero-width characters to poison AI coding assistants like Cursor and Claude, coercing them into running fake 'security scans' that leak local credentials, making this both a software and AI supply chain compromise.[1][3][4] From a CyberSE.AI perspective, this highlights the need for SBOM-driven dependency governance, AI-aware supply chain controls, and continuous red teaming of AI-assisted developer workflows to detect prompt-injection-style config poisoning and prevent au