Security company Socket Security disclosed on May 25 an encryption-asset theft supply-chain attack activity named TrapDoor, and found more than 34 malicious software packages and 384 related versions in npm, PyPI, and Crates.io. Socket has reported to the affected registries, and some malicious packages have been removed; as of the time of reporting, some still remain.
Malicious execution mechanisms in the three main registries
(Source: Socket Security)
npm (22 packages) deploys a shared certificate-harvesting payload trap-core.js through postinstall hooks, validates the stolen certificates using AWS and GitHub API, and establishes persistence via Git hooks, shell hooks, systemd, cron, and SSH. Compromised developer machines can become a bridge for lateral movement to other infrastructure.
PyPI (7 packages) executes automatically upon import, downloads JavaScript from attacker-controlled GitHub Pages domains, and uses node -e to execute it; attackers can update behavior without publishing new versions. Crates.io (6 packages, all targeting Sui and Move developers) uses a malicious build.rs build script that searches local key stores during Rust compilation, encrypts the XOR key after hard-coding, and sends it to a GitHub Gist.
Data types stolen by TrapDoor (confirmed by Socket)
According to Socket’s analysis, TrapDoor steals the following data:
· SSH keys (usable for lateral movement)
· Sui, Solana, and Aptos wallet data
· AWS credentials and GitHub tokens
· Browser profiles and login databases
· Encrypted wallet extension data
· Environment variables and API keys
· Local development configuration files
AI target injection: .cursorrules, CLAUDE.md, and malicious PRs
TrapDoor uses .cursorrules and the CLAUDE.md files to implant hidden instructions via zero-width Unicode characters, attempting to trick AI coding tools (such as Cursor, Claude) into executing “security scans,” resulting in developers’ keys being stolen. The attackers used the GitHub account ddjidd564, and at the same time submitted pull requests to major open-source AI projects such as browser-use, langchain, langflow, llama_index, MetaGPT, and OpenHands, attempting to insert .cursorrules and CLAUDE.md files pointing to attacker-controlled configuration URLs. The activity was tagged as P-2024-001.
FAQ
What emergency measures should developers affected by TrapDoor take?
Immediately identify and remove any related malicious packages that have been installed (the full list covers 22 packages on npm, 7 on PyPI, and 6 on Crates.io), and immediately revoke any exposed AWS credentials, GitHub tokens, and SSH keys. Socket has reported to the three main registries and continues to update its TrapDoor attack activity tracking page.
What is the infrastructure behind the TrapDoor attack activity?
The attacker uses the GitHub account ddjidd564 to host payloads and configurations, with the GitHub Pages domain as ddjidd564[.]github[.]io/defi-security-best-practices/. The account also maintains attacker-authored technical documents (including AUDIT-MATRIX.md, BYPASS.md, PAYLOAD.md, and SWARM.md) and multiple lure repositories themed around DeFi and security.
How can developers confirm whether their environment has been infected?
Socket recommends checking whether abnormal configurations exist in .cursorrules or CLAUDE.md files in the local development environment that include zero-width Unicode characters, as well as abnormal processes in postinstall hooks, systemd services, or cron tasks. Socket’s complete list of malicious package names has been published; developers can verify the installed packages one by one.
