Overview
A new coordinated cross-ecosystem software supply chain attack campaign has targeted npm, PyPI, and Crates.io to distribute credential-stealing malware. Codenamed TrapDoor, the campaign spans more than 34 malicious packages across over 384 versions, with the earliest recorded activity dating to May 22, 2026.
The campaign is notable for its breadth — targeting three of the most widely-used open-source package registries simultaneously — and its stealth, with the credential-stealing payload executing silently via post-install hooks.
Campaign Details
Scale and Scope
| Metric | Value |
|---|---|
| Malicious packages identified | 34 |
| Poisoned package versions | 384+ |
| Ecosystems targeted | npm, PyPI, Crates.io |
| Earliest observed activity | May 22, 2026 |
| Primary payload | Credential-stealing malware |
| Campaign name | TrapDoor |
The 34 packages span all three ecosystems, with researchers identifying a mix of typosquatting (packages named to resemble legitimate popular libraries) and dependency confusion attacks (packages exploiting how private package names are resolved against public registries).
Targeted Ecosystems
npm (JavaScript/Node.js)
The npm registry saw the highest volume of malicious packages. Many were named to closely mimic widely-used libraries in the React, Express, and testing tooling space. Post-install scripts in package.json triggered the credential-stealing payload on installation.
PyPI (Python) Python packages targeted scientific computing, web framework, and DevOps tooling namespaces. The attackers exploited the common practice of installing packages from PyPI in CI/CD pipelines without version pinning or hash verification.
Crates.io (Rust)
The inclusion of Rust's Crates.io registry marks an expansion of supply chain attack campaigns into the Rust ecosystem, which has historically seen lower attack frequency than npm and PyPI. Build script (build.rs) hooks were used to execute the malicious payload.
Technical Analysis
Delivery Mechanism
The TrapDoor campaign uses post-install hooks as its primary execution vector:
npm → scripts.postinstall in package.json
PyPI → setup.py cmdclass / post-install hooks
Cargo → build.rs build scripts
These hooks execute automatically when a package is installed, requiring no user interaction beyond the npm install, pip install, or cargo add command.
Payload Behavior
Upon execution, the credential-stealing payload performs the following actions:
- Environment enumeration — collects OS, username, hostname, and installed tool information
- Credential harvesting — scans for:
- Git credentials and SSH keys
- Cloud provider configuration files (AWS
~/.aws/credentials, GCP, Azure) - CI/CD environment variables (
$GITHUB_TOKEN,$NPM_TOKEN, etc.) .envfiles and dotfiles containing API keys- Browser-stored passwords and cookies (on developer workstations)
- Exfiltration — sends harvested data to attacker-controlled infrastructure via HTTPS
- Persistence — in some variants, installs additional payloads for longer-term access
Evasion Techniques
- Legitimate package functionality preserved to avoid detection
- Payload encoded and decrypted at runtime
- Exfiltration traffic mimics normal HTTPS requests
- No obvious indicators in package
READMEor documentation
What Developers Should Do Now
Immediate Actions
- Audit recently installed packages — check installation logs for packages installed since May 22, 2026 from npm, PyPI, or Crates.io
- Rotate all secrets — if any of the malicious packages were installed in your environment, immediately rotate:
- Git tokens and SSH keys
- Cloud provider credentials
- CI/CD pipeline secrets
- API keys found in
.envfiles
- Check for the 34 known packages — the full list of malicious packages is available from the researchers' advisory (link to be published by threat intel teams)
- Enable supply chain scanning — tools like Socket.dev, Snyk, or GitHub's dependency review action can catch similar packages
Protective Measures
- Pin package versions and use lockfiles (
package-lock.json,Pipfile.lock,Cargo.lock) - Verify package hashes before installing in production pipelines
- Use allowlists for approved packages in sensitive CI/CD environments
- Monitor for unexpected outbound connections from build systems
- Apply least-privilege principles to CI/CD pipeline credentials — tokens should have only the access they need
Broader Context: 2026 Supply Chain Attack Surge
The TrapDoor campaign is the latest in a 2026 surge of software supply chain attacks:
| Campaign | Ecosystems | Notable Impact |
|---|---|---|
| TanStack npm attack | npm | GitHub, Grafana, OpenAI impacted |
| Mini Shai Hulud | npm, PyPI | TanStack, Mistral AI, Guardrails AI |
| Megalodon | GitHub Actions | 5,561 repos targeted |
| Laravel lang hijack | Packagist (PHP) | 8 packages, cross-platform stealer |
| TrapDoor | npm, PyPI, Crates.io | 34 packages, 384+ versions |
The pattern is consistent: threat actors compromise or publish malicious packages in widely-used registries, harvest developer credentials, and use those credentials to pivot further into organizational infrastructure or enable additional supply chain compromises.
npm Registry Response
npm has announced enhanced security measures in response to the ongoing wave of supply chain attacks, including:
- 2FA-gated publishing for package owners with high download counts
- Package install controls allowing organizations to allowlist approved packages
- Enhanced automated scanning for suspicious post-install scripts
These measures will help reduce the attack surface for future TrapDoor-style campaigns, but organizations should not wait for registry-side controls — developer workstation and CI/CD pipeline hygiene remains critical.
Sources
- The Hacker News — TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO