TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO
- Javier Conejo del Cerro
- hace 7 horas
- 5 Min. de lectura
Modern software supply chain attacks are no longer confined to a single ecosystem.
Attackers are now operating simultaneously across npm, PyPI, and Crates.io, building coordinated malware campaigns capable of targeting developers regardless of language, framework, or platform. The TrapDoor operation demonstrates how threat actors are evolving beyond simple typosquatting into deeply integrated attacks focused on persistence, lateral movement, cloud compromise, AI-assisted workflows, and long-term infiltration of developer environments.
The campaign spread more than 34 malicious packages across over 384 versions in multiple package ecosystems, specifically targeting crypto, Solana, DeFi, cloud, and artificial intelligence communities. The malware harvested credentials, cloud secrets, wallets, SSH keys, browser data, and environment variables while embedding persistence mechanisms designed to survive across developer systems and infrastructure environments.
More importantly, TrapDoor reveals an emerging trend that extends beyond traditional malware delivery.
Attackers are beginning to manipulate the behavior of AI-assisted development environments themselves.
Phase 1: The Packages Begin to Spread
The operation started with coordinated package publication waves across npm, PyPI, and Crates.io.
The malicious packages were carefully designed to appear legitimate and useful within modern development ecosystems. Their names mimicked tools commonly associated with:
Crypto development
Solana ecosystems
DeFi environments
AI tooling
Deployment automation
Security auditing
Environment configuration
Wallet verification
Examples included:
eth-wallet-sentinel
wallet-security-checker
defi-risk-scanner
llm-context-compressor
prompt-engineering-toolkit
solidity-build-guard
cryptowallet-safety
The naming strategy was intentional.
Rather than relying solely on obvious typosquatting, the attackers targeted psychological trust within highly specialized developer communities. The packages looked exactly like the sort of tooling developers would naturally search for while configuring environments, auditing wallets, or improving AI workflows.
This significantly increased the probability of installation.
Phase 2: Ecosystem-Specific Execution Paths
TrapDoor used different execution mechanisms depending on the ecosystem being targeted.
For npm packages, attackers relied heavily on:
postinstall hooks
remote JavaScript payload execution
hidden dependency chains
The npm payload deployed a shared malware component named trap-core.js.
The Python packages took a different approach.
The malicious PyPI libraries executed automatically during import, silently downloading remote JavaScript payloads from attacker-controlled GitHub Pages infrastructure before launching them through node -e.
This approach gave the attackers operational flexibility because the remote payload could evolve independently without requiring new package releases.
Meanwhile, the Rust crates weaponized the build.rs compilation process.
When developers compiled the package, malicious code executed automatically during the build stage, searching local environments for sensitive keystore information before encrypting and exfiltrating it to GitHub Gists.
Each ecosystem used its own trusted execution pathway against developers.
The malware blended into the normal behavior of the platform itself.
Phase 3: trap-core.js Enters the Environment
Once executed, the central JavaScript payload began aggressively harvesting secrets and validating stolen credentials.
The malware scanned developer systems for:
AWS credentials
GitHub tokens
SSH keys
Browser data
Docker configurations
Kubernetes secrets
Environment variables
Crypto wallets
API keys
Shell history
Cloud credentials
The malware also actively validated stolen tokens against AWS and GitHub APIs to determine which credentials remained operational.
This capability significantly increased attacker efficiency.
Rather than collecting massive quantities of potentially invalid secrets, the malware immediately identified usable credentials capable of enabling lateral movement and infrastructure compromise.
Developer systems increasingly function as centralized operational hubs controlling cloud infrastructure, CI/CD pipelines, production deployments, AI tooling, and cryptographic assets.
Compromising the developer workstation therefore frequently means compromising the broader infrastructure ecosystem.
Phase 4: Persistence Everywhere
TrapDoor was not designed as a short-term smash-and-grab operation.
It focused heavily on persistence.
The malware implanted itself through multiple mechanisms simultaneously, including:
cron jobs
systemd services
Git hooks
shell hooks
SSH persistence
hidden project modifications
This multi-layered persistence strategy ensured that even if one foothold was removed, others would likely survive.
The malware also attempted SSH-based lateral movement, allowing it to propagate across interconnected development environments and infrastructure systems.
This reflects a broader evolution in software supply chain attacks.
The objective is no longer merely credential theft. The objective is environmental occupation.
Attackers increasingly seek to establish resilient, long-term presence within developer ecosystems capable of supporting future operations.
Phase 5: AI Assistants Become the Target
One of the most unusual and dangerous aspects of TrapDoor involved the abuse of AI-assisted coding environments.
The malware implanted hidden instructions inside files such as:
.cursorrules
These files contained carefully crafted prompts intended to manipulate AI coding assistants into performing “security scans” that actually exposed and exfiltrated sensitive secrets.
Researchers observed pull requests targeting major AI-related repositories including:
browser-use/browser-use
langchain-ai/langchain
langflow-ai/langflow
This stage signals an important escalation.
Threat actors are no longer targeting developers alone. They are beginning to target the AI systems developers rely upon.
If successful, attackers could indirectly weaponize trusted AI assistants into becoming automated reconnaissance and credential harvesting tools operating inside legitimate development environments.
This introduces an entirely new attack surface within modern software ecosystems.
Phase 6: Cross-Ecosystem Infection
TrapDoor demonstrates how attackers increasingly operate across ecosystems simultaneously rather than targeting isolated package managers.
The campaign coordinated malicious activity across:
npm
PyPI
This cross-platform strategy significantly expands operational reach and resilience.
Even if one ecosystem detects and removes malicious packages quickly, others may remain active long enough to continue spreading malware.
The operation also reflects how interconnected modern developer environments have become.
A single workstation may simultaneously contain:
Node.js dependencies
Python tooling
Rust crates
Cloud credentials
AI assistants
Wallet infrastructure
Kubernetes access
CI/CD tokens
Attackers understand this convergence extremely well.
The modern developer endpoint has become one of the highest-value targets in cybersecurity.
Phase 7: The New Supply Chain Era
TrapDoor reflects a broader shift occurring across the software supply chain threat landscape.
Modern attackers increasingly combine:
trusted ecosystems
automation
persistence
credential validation
AI manipulation
cloud targeting
lateral movement
social engineering
into unified operations designed to scale rapidly across interconnected development environments.
Traditional supply chain attacks focused primarily on delivering malware.
TrapDoor focuses on occupying the developer ecosystem itself.
The distinction is critical.
This is no longer simply malicious code distribution. It is infrastructure-level infiltration through trust relationships embedded within software development pipelines.
Measures to Fend Off Cross-Ecosystem Supply Chain Attacks
Audit dependencies continuously across npm, PyPI, and Crates.io ecosystems.
Restrict postinstall hooks and untrusted build scripts wherever possible.
Monitor unexpected outbound network connections during installs and builds.
Isolate cloud credentials from developer endpoints.
Enforce least privilege access across CI/CD systems and repositories.
Review AI-related project files such as .cursorrules and CLAUDE.md.
Disable unnecessary automatic execution behaviors during package installation.
Continuously rotate SSH keys and cloud tokens.
Monitor persistence mechanisms including cron jobs, Git hooks, and shell hooks.
Deploy behavioral monitoring focused on developer workstations.
Validate package reputation and maintainer trust before installation.
Treat developer systems as critical infrastructure assets.
Conclusion
TrapDoor demonstrates that software supply chain attacks are evolving into persistent ecosystem compromises that span multiple programming languages, package managers, cloud environments, and AI-assisted workflows simultaneously.
The campaign weaponized trusted developer tooling, automated package execution, build systems, and AI configuration files to create a flexible malware platform capable of harvesting secrets, maintaining persistence, and spreading laterally across modern infrastructure environments.
Perhaps most importantly, TrapDoor signals the emergence of a dangerous new frontier.
AI-assisted development environments themselves are beginning to enter the threat landscape.
And as attackers increasingly target the systems developers trust to build software, the boundary between development workflow and attack surface continues to disappear.
The Hacker News
Comentarios