Several npm packages in the campaign share a common payload, a JavaScript file called trap-core.js, which handles the heavy lifting. It scans the infected system for credentials, validates stolen AWS and GitHub tokens against live APIs to confirm they work before exfiltrating them, attempts SSH-based lateral movement to reach adjacent systems, and plants persistence through multiple mechanisms, including cron jobs, systemd services, Git hooks, shell hooks, and SSH configuration.

The persistence layer is worth paying attention to. An attacker who has planted hooks across that many execution paths on a developer’s machine has access that survives package removal, environment resets, and even some reimaging scenarios, depending on how thoroughly the cleanup is done.

Three Ecosystems, Three Different Execution Paths

What makes TrapDoor technically notable is how it adapts its delivery mechanism to each ecosystem’s conventions rather than using a one-size-fits-all approach.

npm

The JavaScript packages use postinstall hooks, which run automatically when a package is installed through npm. This is a legitimate feature of the npm ecosystem that many real packages use for setup tasks. Malicious packages have abused it for years precisely because developers are conditioned to expect some activity at install time. trap-core.js runs through this hook, beginning credential scanning before the developer has written a single line of code using the package.

PyPI

The Python packages take a different approach, executing malicious code automatically on import rather than at install time. Their primary function is to reach out to an attacker-controlled GitHub Pages domain and pull down a JavaScript payload, which is then executed locally using Node. Socket noted the significance of this design choice: by hosting the payload externally, the attacker can update behavior and retool the malware without publishing a new PyPI release. The package itself becomes a persistent loader rather than a static piece of malware.

Crates.io

The Rust crates target Sui and Move developers specifically, searching local keystores, encrypting collected data with a hardcoded XOR key, and exfiltrating it to GitHub Gists. The execution path runs through build.rs, a build script that Rust’s cargo toolchain runs as part of compilation. Like postinstall hooks in npm, build scripts serve legitimate purposes, which is exactly what makes them useful as an attack vector.

The AI Manipulation Angle

The most technically unusual element of TrapDoor is how it attempts to weaponize AI coding assistants as part of the attack chain.

The campaign plants files named .cursorrules and CLAUDE.md in compromised environments. These file types are recognized by AI coding tools as containing project-level instructions, guidance that the assistant should follow when working within a given codebase. TrapDoor fills them with hidden instructions designed to trick AI assistants into running what appears to be a security scan but is actually a credential discovery and exfiltration routine.

The campaign has also been opening pull requests against popular AI and developer repositories on GitHub, including browser-use, LangChain, and Langflow. Socket assessed that the threat actor is likely testing whether AI-related project files containing hidden instructions can be introduced through normal open source contribution workflows, causing AI coding tools used by contributors and maintainers to parse and act on those instructions.

This represents a meaningful evolution in how supply chain attackers think about the developer environment. Compromising the packages a developer installs is one attack surface. Compromising the AI assistant that reads and acts on the developer’s codebase is a different one, and the blast radius of a successfully poisoned AI assistant is considerably larger than a single malicious package.

The Package Names Are the First Layer of the Attack

The 34-plus packages identified across the three ecosystems share a naming strategy that reflects careful study of what developers in the targeted communities actually search for and install. Names like defi-env-auditor, wallet-security-checker, crypto-credential-scanner, prompt-engineering-toolkit, and llm-context-compressor are built to appear not just plausible but actively useful to their intended targets.

A developer working on a DeFi project who searches for environment auditing tools or wallet security utilities is primed to install something called defi-env-auditor without much additional scrutiny. The name implies a defensive purpose. The package delivers the opposite.

Socket described the overall approach: “TrapDoor shows how attackers are combining traditional package typosquatting with newer developer-environment attack paths. The package names are tailored to appear relevant to crypto development, AI tooling, local environment setup, and security workflows. The malware then uses ecosystem-specific execution paths: build.rs in Rust, postinstall hooks in npm, and import-time execution in Python.“

What Developers Should Do Right Now

Any developer working in crypto, DeFi, Solana, or AI tooling who installed packages from any of the three ecosystems after May 22 should audit their installed dependencies against the full package list Socket has published. The presence of any of the identified packages warrants immediate credential rotation across AWS, GitHub, SSH keys, and any cryptocurrency wallets accessible from the affected machine.

Checking for persistence mechanisms is the harder but more important step. Reviewing cron jobs, systemd services, Git hooks, and shell configuration files for entries that were not deliberately added is the only way to confirm whether TrapDoor planted anything that survived the package removal. On machines used for crypto or cloud work, the bar for that review should be thorough rather than cursory.

For teams, reviewing .cursorrules and CLAUDE.md files in shared repositories for instructions that nobody on the team added is now a necessary part of the supply chain security checklist, particularly for projects that use AI coding assistants as part of a regular development workflow.

A Note on the Name

Socket clarified that TrapDoor has no connection to a separate campaign of the same name identified by HUMAN’s Satori Threat Intelligence team last week, which involved ad fraud distributed through Android applications. The naming overlap is coincidental, and the operations are unrelated.

Research and Intelligence Sources: Socket, GitHub

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com