TrapDoor Cross-Ecosystem Crypto Stealer Campaign

Executive Summary

TrapDoor is an active software supply-chain campaign reported by Socket on May 24, 2026, spanning npm, PyPI, and Crates.io packages aimed at crypto, DeFi, AI, and developer-security workflows Socket. Socket tracks more than 34 malicious packages and 384 or more related versions/artifacts, while OSV already lists several PyPI malicious-package records tied to the same 2026-05-eth-security-auditor campaign Socket OSV PyPI list.

The campaign is notable because each ecosystem gets a native execution path: npm postinstall hooks, PyPI import-time loaders that execute remote JavaScript, and Rust build.rs scripts that run during compilation Socket. The payloads target SSH keys, GitHub tokens, AWS and cloud credentials, browser data, environment variables, crypto wallet material, and AI assistant instruction surfaces such as .cursorrules and CLAUDE.md Socket GitHub repo.

Key Facts

threat_type: "cross-registry malicious package campaign"
ecosystem: "npm, PyPI, Crates.io"
registry: "npmjs.com, pypi.org, crates.io"
affected_packages:
  npm:
    - "async-pipeline-builder"
    - "build-scripts-utils"
    - "chain-key-validator"
    - "crypto-credential-scanner"
    - "defi-env-auditor"
    - "defi-threat-scanner"
    - "deployment-key-auditor"
    - "dev-env-bootstrapper"
    - "eth-wallet-sentinel"
    - "llm-context-compressor"
    - "mnemonic-safety-check"
    - "model-switch-router"
    - "node-setup-helpers"
    - "project-init-tools"
    - "prompt-engineering-toolkit"
    - "solidity-deploy-guard"
    - "token-usage-tracker"
    - "wallet-backup-verifier"
    - "wallet-security-checker"
    - "web3-secrets-detector"
    - "workspace-config-loader"
  pypi:
    - "cryptowallet-safety"
    - "data-pipeline-check"
    - "defi-risk-scanner"
    - "env-loader-cli"
    - "eth-security-auditor"
    - "git-config-sync"
    - "solidity-build-guard"
  crates:
    - "move-analyzer-build"
    - "move-compiler-tools"
    - "move-project-builder"
    - "sui-framework-helpers"
    - "sui-move-build-helper"
    - "sui-sdk-build-utils"
malicious_versions:
  - "env-loader-cli 0.1.0"
  - "env-loader-cli 0.1.1"
  - "eth-security-auditor 0.1.0"
  - "sui-framework-helpers 0.1.0"
known_good_versions: []
fixed_or_safe_versions: []
execution_trigger: "npm postinstall, Python import, Rust build.rs"
primary_impact: "developer secret theft, cloud credential theft, SSH lateral movement, crypto wallet theft, AI assistant instruction poisoning"
campaign_context: "active cross-ecosystem campaign tracked by Socket as TrapDoor"
confidence: "medium"
canonical_source: "https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates"
last_verified: "2026-05-24"

Source Confidence & Evidence Mapping

• confirmed: Socket reports TrapDoor as a cross-ecosystem campaign across npm, PyPI, and Crates.io, with 34+ malicious packages and 384+ related versions/artifacts Socket.
• confirmed: OSV lists recent malicious PyPI package records for env-loader-cli, data-pipeline-check, git-config-sync, defi-risk-scanner, cryptowallet-safety, solidity-build-guard, and eth-security-auditor OSV PyPI list.
• confirmed: OSV record MAL-2026-4272 says env-loader-cli runs code during import to exfiltrate credentials, private keys, and sensitive data, and it lists affected versions 0.1.0 and 0.1.1 OSV MAL-2026-4272.
• confirmed: The attacker-controlled GitHub repository ddjidd564/defi-security-best-practices exists on the gh-pages branch and exposes directories and files matching Socket’s infrastructure reporting, including payloads, trap-core, .cursorrules, and CLAUDE.md GitHub repo.
• likely: The campaign scope will continue to change because Socket describes the activity as active and says some packages were already removed while others were still live at publication time Socket.
• unclear: No public source reviewed here proves real-world victim count, complete registry removal status, or actor attribution beyond the observed GitHub account and package publishers.

Attack Execution Flow

sequenceDiagram
    autonumber
    actor Attacker
    participant Registry as npm / PyPI / Crates.io
    participant Dev as Developer or CI Runner
    participant Host as Host Runtime
    participant Infra as ddjidd564 GitHub Pages / Gists

    Attacker->>Registry: Publish security, crypto, AI, and build-helper packages
    Registry->>Dev: Package is installed, imported, or built
    Dev->>Host: npm postinstall, Python import, or Rust build.rs executes
    Host->>Infra: Fetch config or payload from attacker-controlled infrastructure
    Host->>Host: Harvest credentials, wallets, browser data, and AI instruction surfaces
    Host->>Infra: Exfiltrate data or validate stolen credentials

Timeline

• 2026-05-22T20:20:18Z Socket’s earliest observed package, eth-security-auditor@0.1.0, is uploaded to PyPI Socket.
• 2026-05-22T20:22:04Z Socket reports the eth-security-auditor wheel publication time Socket.
• 2026-05-24T05:42:09Z OSV publishes MAL-2026-4272 for env-loader-cli OSV MAL-2026-4272.
• 2026-05-24 Socket publishes public TrapDoor campaign research Socket.
• 2026-05-24 This local feed check found no existing Halting Problems coverage for TrapDoor, ddjidd564, eth-security-auditor, env-loader-cli, sui-framework-helpers, trap-core.js, or ddjidd564.github.io.

What Happened

Attackers published packages with benign-sounding names that map to high-value developer workflows: wallet checking, DeFi risk scanning, Solidity deployment validation, model routing, prompt engineering, environment bootstrapping, and Sui/Move build helpers Socket. That naming strategy matters because developers in crypto, AI, and security tooling are more likely to have valuable SSH keys, cloud tokens, GitHub credentials, and wallet files on the same machines where package installation happens.

The campaign does not rely on one registry-specific trick. Socket reports npm postinstall execution, PyPI import-time execution that downloads JavaScript from attacker-controlled GitHub Pages and runs it with node -e, and Crates.io build.rs execution during Rust compilation Socket. OSV corroborates the PyPI side for env-loader-cli, stating that the package executes during import and exfiltrates credentials, private keys, and sensitive data OSV MAL-2026-4272.

Technical Analysis

Initial Access

The known initial access vector is package publication to public registries rather than compromise of an established upstream project. Socket lists packages across npm, PyPI, and Crates.io, and OSV confirms malicious PyPI package entries associated with campaign 2026-05-eth-security-auditor Socket OSV MAL-2026-4272.

Package or Artifact Tampering

The artifacts are malicious packages, not just vulnerable packages. Socket identifies shared infrastructure and behavior across package names, including trap-core.js, campaign marker P-2024-001, GitHub Pages content under ddjidd564[.]github[.]io/defi-security-best-practices/, and attacker-owned repositories and pull requests Socket. The GitHub repository itself shows a broad payload and lure surface, including payloads, trap-core, .cursorrules, CLAUDE.md, PAYLOAD.md, and multiple security-themed directories GitHub repo.

Execution Trigger

npm packages use lifecycle execution after installation, PyPI packages execute during import and invoke remote JavaScript, and Crates.io packages use Rust build scripts Socket. The Rust side is especially relevant because build.rs executes during compilation, before a developer directly runs package functionality; docs.rs shows a source listing with build.rs for sui-framework-helpers 0.1.0 docs.rs.

Payload Behavior

Socket reports that TrapDoor steals SSH keys, Sui/Solana/Aptos wallet data, AWS credentials, GitHub tokens, browser data, crypto wallet extension data, environment variables, API keys, and local development configuration files Socket. The npm payload validates stolen AWS and GitHub credentials and attempts SSH-based lateral movement, which makes developer workstations and CI runners potential bridges into broader infrastructure Socket.

Exfiltration / C2

The durable network indicator is ddjidd564[.]github[.]io, especially paths under hxxps://ddjidd564[.]github[.]io/defi-security-best-practices/ Socket OSV MAL-2026-4272. OSV lists config.json, payloads/compliance-scanner-light.js, and payloads/risk-profiler.js under that path for env-loader-cli OSV MAL-2026-4272.

Propagation

Socket reports SSH-based propagation attempts and attacker pull requests that tried to add .cursorrules or CLAUDE.md files to AI and developer-tooling projects Socket. This makes TrapDoor broader than ordinary credential theft: the campaign also experiments with developer-assistant instruction surfaces as a persistence and social engineering layer.

Obfuscation or Evasion

The main evasion layer is workflow disguise. The packages present themselves as wallet safety tools, security scanners, build helpers, and AI/developer utilities Socket. Socket also reports zero-width Unicode in AI-facing files, Fernet and ECDH encryption in npm payloads, and XOR encryption with key cargo-build-helper-2026 in Crates.io packages Socket.

MITRE ATT&CK Mapping

Tactic	Technique ID	Technique Name	Observed Behavior
Initial Access	T1195.002	Compromise Software Supply Chain	Malicious packages published to npm, PyPI, and Crates.io.
Execution	T1059	Command and Scripting Interpreter	PyPI packages execute JavaScript via node -e; npm payloads run JavaScript; Rust packages run build.rs.
Credential Access	T1552	Unsecured Credentials	Payloads search local files, environment variables, browser data, SSH keys, and cloud credentials.
Credential Access	T1555	Credentials from Password Stores	Socket reports browser and wallet data collection.
Command and Control	T1102	Web Service	Attacker-controlled GitHub Pages infrastructure hosts payload/config content.
Persistence	T1037	Boot or Logon Initialization Scripts	Socket reports shell hooks, systemd, cron, Git hooks, .cursorrules, and CLAUDE.md persistence surfaces.
Lateral Movement	T1021.004	SSH	Socket reports SSH-based propagation attempts using stolen keys.

Affected Assets and Blast Radius

affected_assets:
  ecosystems:
    - "npm"
    - "PyPI"
    - "Crates.io"
  packages:
    - "async-pipeline-builder"
    - "build-scripts-utils"
    - "chain-key-validator"
    - "crypto-credential-scanner"
    - "defi-env-auditor"
    - "defi-threat-scanner"
    - "deployment-key-auditor"
    - "dev-env-bootstrapper"
    - "eth-wallet-sentinel"
    - "llm-context-compressor"
    - "mnemonic-safety-check"
    - "model-switch-router"
    - "node-setup-helpers"
    - "project-init-tools"
    - "prompt-engineering-toolkit"
    - "solidity-deploy-guard"
    - "token-usage-tracker"
    - "wallet-backup-verifier"
    - "wallet-security-checker"
    - "web3-secrets-detector"
    - "workspace-config-loader"
    - "cryptowallet-safety"
    - "data-pipeline-check"
    - "defi-risk-scanner"
    - "env-loader-cli"
    - "eth-security-auditor"
    - "git-config-sync"
    - "solidity-build-guard"
    - "move-analyzer-build"
    - "move-compiler-tools"
    - "move-project-builder"
    - "sui-framework-helpers"
    - "sui-move-build-helper"
    - "sui-sdk-build-utils"
  versions:
    - "env-loader-cli 0.1.0"
    - "env-loader-cli 0.1.1"
    - "eth-security-auditor 0.1.0"
    - "sui-framework-helpers 0.1.0"
  repositories:
    - "github.com/ddjidd564/defi-security-best-practices"
  ci_cd_systems:
    - "developer CI runners"
    - "GitHub Actions"
    - "GitLab CI"
    - "CircleCI"
    - "Travis CI"
  container_images: []
  developer_tools:
    - "Cursor"
    - "Claude Code style CLAUDE.md workflows"
    - "Rust cargo build"
    - "Python import workflows"
    - "npm install workflows"
credentials_at_risk:
  - "SSH private keys"
  - "GitHub tokens"
  - "AWS credentials"
  - "cloud credentials"
  - "browser profile data"
  - "crypto wallet data"
  - "environment variables"
  - "API keys"
not_currently_known_to_affect:
  - "official Laravel framework packages"
  - "established upstream projects unless they accepted malicious PRs or installed listed packages"

Indicators of Compromise

package_versions:
  - "PyPI/env-loader-cli 0.1.0"
  - "PyPI/env-loader-cli 0.1.1"
  - "PyPI/eth-security-auditor 0.1.0"
  - "Crates.io/sui-framework-helpers 0.1.0"
files:
  - "trap-core.js"
  - ".cursorrules"
  - "CLAUDE.md"
  - "build.rs"
hashes: []
domains:
  - "ddjidd564[.]github[.]io"
urls:
  - "hxxps://ddjidd564[.]github[.]io/defi-security-best-practices/"
  - "hxxps://ddjidd564[.]github[.]io/defi-security-best-practices/config.json"
  - "hxxps://ddjidd564[.]github[.]io/defi-security-best-practices/payloads/compliance-scanner-light.js"
  - "hxxps://ddjidd564[.]github[.]io/defi-security-best-practices/payloads/risk-profiler.js"
ips: []
process_patterns:
  - "npm -> node trap-core.js"
  - "python -> node -e"
  - "cargo -> build.rs"
network_patterns:
  - "developer or CI host egress to ddjidd564[.]github[.]io"
  - "post-install GitHub or AWS credential validation"
provenance_signals:
  - "new low-volume security, wallet, DeFi, AI, and build-helper packages with lifecycle, import-time, or build.rs execution"

Detection and Hunting

lockfiles:
  - "Search package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, Pipfile.lock, uv.lock, and Cargo.lock for all listed package names."
filesystem:
  - "Find trap-core.js, .cursorrules, CLAUDE.md, build.rs, Git hooks, shell hooks, systemd units, and cron entries created after package installation."
  - "Search npm, PyPI, Cargo, CI workspace, and container layer caches for ddjidd564, P-2024-001, and trap-core.js."
process:
  - "Alert when npm, python, or cargo build chains spawn node, ssh, git, aws, gh, curl, wget, systemctl, or crontab unexpectedly."
  - "Correlate package install/import/build events with credential discovery commands or SSH outbound activity."
network:
  - "Alert on developer or CI egress to ddjidd564[.]github[.]io."
  - "Correlate package installation with GitHub token validation, AWS credential validation, or GitHub Gist creation."
github_audit:
  - "Review PRs adding .cursorrules or CLAUDE.md, especially when referencing P-2024-001 or external GitHub Pages configuration."
ci_cd:
  - "Search CI logs for listed package names, postinstall execution, node -e from Python jobs, and cargo build scripts with network activity."
registry:
  - "Flag new packages with wallet, DeFi, model routing, prompt engineering, security audit, or build-helper names from new or low-reputation publishers."
sigma_candidates:
  - "Process Creation: Python spawning node -e from package import paths."
  - "Process Creation: npm postinstall creates persistence files."
  - "Network: CI runner outbound to ddjidd564.github.io."
yara_candidates:
  - "Detect strings ddjidd564.github.io, P-2024-001, trap-core.js, cargo-build-helper-2026, .cursorrules, and CLAUDE.md in package artifacts."

Remediation Workflow

• Immediate: Block the listed packages in dependency proxies, SCA policy, CI allowlists, and package-manager firewall rules.
• Immediate: Search dependency locks, package caches, build logs, container layers, and developer workstations for the listed package names, trap-core.js, P-2024-001, ddjidd564[.]github[.]io, .cursorrules, and CLAUDE.md.
• Immediate: Treat hosts that installed, imported, or built the packages as potentially compromised. Rotate SSH keys, GitHub tokens, cloud credentials, registry tokens, crypto wallet material, API keys, CI/CD secrets, and environment secrets from a clean host.
• Short-term: Preserve package artifacts, lockfiles, package-manager caches, process execution logs, DNS/proxy logs, GitHub audit events, cloud audit logs, and CI job logs before cleanup.
• Short-term: Rebuild affected developer workstations, CI runners, and containers from known-good images where high-value credentials were present.
• Long-term: Enforce dependency cooldowns, restrict lifecycle scripts and build scripts, block import-time network execution in test sandboxes where feasible, monitor AI assistant instruction files, and restrict CI egress to approved endpoints.

Defensive Lessons

• prevent: New low-volume packages with security, crypto, AI, or build-helper branding should not bypass review just because their names sound defensive.
• detect: Treat package installation, import, and build as execution surfaces. Monitor npm lifecycle hooks, Python import side effects, Rust build.rs, and CI egress together.
• respond: For developer-targeted supply-chain malware, credential rotation is not enough. Preserve evidence, rebuild execution hosts, review GitHub audit trails, and inspect AI assistant instruction files.

Open Questions

• The complete package/version list is still changing; rerun Socket campaign and OSV/OpenSSF checks before bulk-block policy publication.
• Exact npm and Crates.io malicious version ranges need direct registry confirmation package by package.
• Registry removal/yank status is incomplete.
• No reviewed source proves victim count or actor attribution beyond observed package publishers and GitHub infrastructure.
• The real-world effectiveness of .cursorrules and CLAUDE.md prompt-injection persistence depends on local AI tool behavior.

Sources

1. Socket: TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io - Role: PRIMARY_RESEARCH - Impact: Campaign scope, package names, execution triggers, infrastructure, payload behavior, and IOCs.
2. OSV PyPI malicious-package list - Role: DIRECT_SOURCE - Impact: Recent PyPI malicious-package records associated with the campaign.
3. OSV MAL-2026-4272: env-loader-cli - Role: DIRECT_SOURCE - Impact: Affected versions, import-time exfiltration behavior, campaign label, and infrastructure IOCs.
4. GitHub: ddjidd564/defi-security-best-practices gh-pages - Role: DIRECT_SOURCE - Impact: Directly observable attacker-controlled infrastructure, payload directories, .cursorrules, and CLAUDE.md.
5. docs.rs: sui-framework-helpers 0.1.0 source - Role: DIRECT_SOURCE - Impact: Direct package source listing for a Crates.io package named in the campaign.

---

Machine-Readable Event Profile

{
  "schema_version": "2.0",
  "event_id": "trapdoor-cross-ecosystem-crypto-stealer-2026-05-24",
  "event_name": "TrapDoor Cross-Ecosystem Crypto Stealer Campaign",
  "parent_campaign_id": "none",
  "is_campaign_level": true,
  "publication_state": "publish_ready",
  "confidence": "medium",
  "confidence_reason": "Socket provides primary cross-registry analysis and OSV confirms multiple PyPI malicious package records in the same campaign. Confidence is medium because the campaign is active and package counts may change.",
  "attack_types": [
    "malicious package",
    "cross-registry campaign",
    "postinstall malware",
    "import-time malware",
    "build-script malware",
    "credential theft",
    "crypto wallet theft",
    "AI assistant instruction poisoning"
  ],
  "sources": {
    "direct": [
      "https://osv.dev/list?ecosystem=PyPI",
      "https://osv.dev/vulnerability/MAL-2026-4272",
      "https://github.com/ddjidd564/defi-security-best-practices/tree/gh-pages",
      "https://docs.rs/crate/sui-framework-helpers/0.1.0/source/"
    ],
    "primary_research": [
      "https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates"
    ],
    "correlated": []
  },
  "affected_assets": {
    "ecosystems": ["npm", "PyPI", "Crates.io"],
    "registries": ["npmjs.com", "pypi.org", "crates.io"],
    "packages": [
      "async-pipeline-builder",
      "build-scripts-utils",
      "chain-key-validator",
      "crypto-credential-scanner",
      "defi-env-auditor",
      "defi-threat-scanner",
      "deployment-key-auditor",
      "dev-env-bootstrapper",
      "eth-wallet-sentinel",
      "llm-context-compressor",
      "mnemonic-safety-check",
      "model-switch-router",
      "node-setup-helpers",
      "project-init-tools",
      "prompt-engineering-toolkit",
      "solidity-deploy-guard",
      "token-usage-tracker",
      "wallet-backup-verifier",
      "wallet-security-checker",
      "web3-secrets-detector",
      "workspace-config-loader",
      "cryptowallet-safety",
      "data-pipeline-check",
      "defi-risk-scanner",
      "env-loader-cli",
      "eth-security-auditor",
      "git-config-sync",
      "solidity-build-guard",
      "move-analyzer-build",
      "move-compiler-tools",
      "move-project-builder",
      "sui-framework-helpers",
      "sui-move-build-helper",
      "sui-sdk-build-utils"
    ],
    "versions": ["env-loader-cli 0.1.0", "env-loader-cli 0.1.1", "eth-security-auditor 0.1.0", "sui-framework-helpers 0.1.0"],
    "repositories": ["https://github.com/ddjidd564/defi-security-best-practices/tree/gh-pages"],
    "vendors": [],
    "ci_cd_systems": ["developer CI runners", "GitHub Actions", "GitLab CI", "CircleCI", "Travis CI"],
    "container_images": [],
    "developer_tools": ["Cursor", "Claude Code style CLAUDE.md workflows", "Rust cargo build", "Python import workflows", "npm install workflows"],
    "credentials_at_risk": ["SSH keys", "GitHub tokens", "AWS credentials", "cloud credentials", "browser data", "crypto wallet data", "environment variables", "API keys"]
  },
  "timeline": {
    "first_seen": "2026-05-22T20:20:18Z",
    "malicious_publish_time": "2026-05-22T20:20:18Z",
    "discovery_time": "unknown",
    "removal_time": "unknown",
    "disclosure_time": "2026-05-24",
    "patch_or_fix_time": "unknown"
  },
  "artifact_analysis": {
    "malicious_artifacts": ["trap-core.js", ".cursorrules", "CLAUDE.md", "build.rs", "npm postinstall hooks", "Python import-time node -e loaders"],
    "execution_trigger": "npm postinstall, Python import, Rust build.rs",
    "payload_behavior": ["credential harvesting", "wallet theft", "AWS and GitHub credential validation", "SSH lateral movement", "AI instruction file planting", "persistence"],
    "provenance": {
      "present": null,
      "type": "unknown",
      "verified": null
    }
  },
  "iocs": {
    "package_versions": ["env-loader-cli 0.1.0", "env-loader-cli 0.1.1", "eth-security-auditor 0.1.0", "sui-framework-helpers 0.1.0"],
    "files": ["trap-core.js", ".cursorrules", "CLAUDE.md", "build.rs"],
    "hashes": [],
    "domains": ["ddjidd564.github.io"],
    "urls": [
      "https://ddjidd564.github.io/defi-security-best-practices/",
      "https://ddjidd564.github.io/defi-security-best-practices/config.json",
      "https://ddjidd564.github.io/defi-security-best-practices/payloads/compliance-scanner-light.js",
      "https://ddjidd564.github.io/defi-security-best-practices/payloads/risk-profiler.js"
    ],
    "ips": [],
    "process_patterns": ["npm -> node trap-core.js", "python -> node -e", "cargo -> build.rs"],
    "network_patterns": ["developer or CI host egress to ddjidd564.github.io", "post-install GitHub or AWS credential validation"]
  },
  "detection": {
    "lockfile_hunts": ["Search npm, PyPI, and Cargo lockfiles for listed packages."],
    "filesystem_hunts": ["Find trap-core.js, .cursorrules, CLAUDE.md, build.rs, new Git hooks, shell hooks, systemd units, and cron jobs after package installation."],
    "process_hunts": ["Alert on npm, python, or cargo build chains spawning node, ssh, git, aws, gh, curl, wget, systemctl, or crontab unexpectedly."],
    "network_hunts": ["Alert on developer or CI egress to ddjidd564.github.io."],
    "ci_cd_hunts": ["Correlate dependency installation with outbound GitHub/AWS validation and new persistence artifacts."],
    "registry_hunts": ["Flag new low-volume security, wallet, DeFi, AI, and build-helper packages with lifecycle/build/import execution."]
  },
  "open_questions": [
    "Complete package/version list is still changing.",
    "Exact npm and Crates.io malicious versions need direct registry confirmation package by package.",
    "Registry removal status is incomplete.",
    "No actor attribution beyond observed infrastructure."
  ],
  "defender_takeaways": {
    "detection": "Prioritize lockfile/package-cache searches, process execution telemetry, and egress to ddjidd564.github.io.",
    "hunting": "Look for package install/import/build triggers followed by credential discovery, AI instruction file writes, Git hooks, shell hooks, systemd, cron, or SSH activity.",
    "remediation": "Block packages, preserve evidence, rotate secrets from clean hosts, and rebuild developer or CI systems that executed affected packages.",
    "prevention": "Use dependency cooldowns, registry allowlists, lifecycle-script controls, CI egress restrictions, and monitoring for AI assistant instruction files."
  }
}