TrapDoor Supply-Chain Attack Targets Crypto Developers Across Npm, PyPI, Crates.io

On May 22, 2026, security researchers at Socket identified a coordinated supply-chain campaign dubbed "TrapDoor" that planted 36 malicious packages spanning 384+ versions across three major package registries: npm, PyPI, and Crates.io. The attack specifically targets developers working on Solana, Sui, Aptos, and broader DeFi projects. While financial losses have not yet been quantified, the campaign's blast radius is significant, with malware designed to harvest crypto wallet seed phrases, SSH keys, AWS credentials, GitHub tokens, and browser extension data. The attack operates through registry-specific mechanisms. On npm, 21 packages — including names like wallet-security-checker, crypto-credential-scanner, and solidity-deploy-guard — deploy a shared 1,149-line payload called trap-core.js via postinstall hooks. All were published by the account "asdxzxc." On PyPI, seven packages auto-execute on import and download remote JavaScript payloads from the attacker-controlled GitHub Pages domain ddjidd564.github.io, published by accounts "asdmini67" and "dae5411." On Crates.io, six packages targeting Sui and Move developers use malicious build.rs scripts that encrypt stolen keystores with the hardcoded XOR key "cargo-build-helper-2026" and exfiltrate data to GitHub Gists. A novel dimension of this campaign is its weaponization of AI coding assistants. The attackers submitted pull requests to popular open-source projects including browser-use/browser-use, langchain-ai/langchain, and langflow-ai/langflow, injecting .cursorrules and CLAUDE.md files containing hidden instructions encoded with zero-width Unicode characters. These invisible directives trick AI tools like Cursor and Claude into executing what appear to be "security scans" that actually exfiltrate sensitive data from the developer's environment. This represents a significant escalation in software supply-chain attack sophistication. The campaign's command-and-control infrastructure centers on the GitHub account "ddjidd564" and its associated GitHub Pages domain. The attacker maintained detailed internal documentation — files named AUDIT-MATRIX.md, BYPASS.md, PAYLOAD.md, and SWARM.md — describing extraction frameworks, persistence methods, and scaling tactics. Persistence is achieved through multiple vectors including Git hooks, shell hooks, systemd services, cron jobs, and SSH-based lateral movement. The malware also validates stolen AWS and GitHub tokens before exfiltration, suggesting the attackers are selectively targeting high-value developer credentials. Developers working in the Solana, Sui, Aptos, and DeFi ecosystems should immediately audit their project dependencies for any of the 34 identified malicious package names. Key npm packages to check for include async-pipeline-builder, chain-key-validator, defi-env-auditor, eth-wallet-sentinel, and wallet-backup-verifier. On PyPI, watch for cryptowallet-safety, defi-risk-scanner, and eth-security-auditor. On Crates.io, the packages move-analyzer-build, sui-framework-helpers, and sui-move-build-helper should be flagged. Socket detected all packages within a median of 5 minutes and 27 seconds post-publication and reported them to the affected registries. Developers should also review any recent pull requests to their repositories for suspicious .cursorrules or CLAUDE.md file additions containing hidden Unicode characters.