TrapDoor: 34 Malicious Packages Are Stealing Wallet Keys and Cloud Credentials Across npm, PyPI, and Crates.io

On May 22, 2026 at 20:20 UTC, an attacker uploaded a PyPI package called eth-security-auditor@0.1.0. By the time researchers at Socket disclosed the campaign, it had grown into 34 malicious packages and more than 384 published versions spread across npm, PyPI, and Crates.io. Socket named it TrapDoor, and it was still active at the time of reporting (Socket, The Hacker News).

The packages masquerade as exactly what a security-minded developer would reach for: crypto auditors, DeFi risk scanners, wallet safety checkers, environment loaders, and build helpers. The lure is the disguise. Names like eth-security-auditor, defi-risk-scanner, cryptowallet-safety, web3-secrets-detector, and wallet-backup-verifier are designed to look like the tools you install to protect yourself.

What Happened in the Wild

TrapDoor splits across 21 packages on npm, 7 on PyPI, and 6 on Crates.io, and it adapts its execution trigger to each ecosystem. On npm the payload fires from a postinstall hook. On PyPI it executes at import time. On Crates.io it runs through build.rs during compilation. Three ecosystems, three native execution paths, one objective.

That objective is theft. The payload harvests cryptocurrency wallet keys, SSH keys, cloud credentials including AWS keys and GitHub tokens, browser-stored secrets, and any .env files it can reach, then exfiltrates them to attacker-controlled infrastructure (Socket, Cyber Security News). The campaign targets developers working in cryptocurrency, DeFi, Solana, Sui and Move, and AI tooling (The Block).

The detail that should make every defender sit up is the novel technique. TrapDoor poisons .cursorrules and CLAUDE.md files with Unicode-obfuscated hidden instructions. Those files are read by AI coding assistants as trusted project context. The buried instructions try to convince the assistant to perform credential discovery and exfiltration while presenting it to the developer as a routine security scan. The attacker is not just compromising the build. The attacker is trying to weaponize the developer's own AI tooling against them.

The Detection and Response Gap

This campaign exposes a blind spot that most blue teams have never instrumented. Package installation runs inside CI/CD and on developer laptops, two places where endpoint telemetry is often thin and where outbound network calls during a build look completely normal. A postinstall hook reaching out to the internet is indistinguishable from a thousand legitimate build steps unless you are watching for it.

Three gaps stand out:

• Install-time execution is invisible. Most teams scan dependencies for known CVEs but never monitor what a package actually does when it installs or imports. A clean CVE record means nothing when the package is malicious by design.
• CI/CD is a credential goldmine with weak monitoring. Build agents hold cloud keys, signing material, and secrets manager access. Exfiltration from a runner rarely triggers the alerts that the same activity would on a production host.
• AI assistant context is an untrusted input nobody validates. Almost no organization scans .cursorrules or CLAUDE.md for hidden Unicode or injected instructions. These files are treated as benign configuration when they are now an attack vector.

How to Operationalize a Response

Treat this as an active incident if your developers touch any of the affected ecosystems. The remediation is concrete:

• Inventory and purge. Audit every package.json, requirements.txt, and Cargo.toml for the named packages and remove them immediately. The full list, including deployment-key-auditor, mnemonic-safety-check, solidity-deploy-guard, move-project-builder, and sui-sdk-build-utils, is published by Socket.
• Inspect AI context files. Scan .cursorrules and CLAUDE.md across your repositories for zero-width Unicode characters and unexpected content.
• Rotate everything exposed. If any affected package was installed, rotate AWS and GCP credentials, GitHub tokens, SSH keys, and cryptocurrency wallet keys. Assume compromise rather than hoping for the best.
• Hunt the exfiltration window. Audit CI/CD logs from May 22, 2026 onward for anomalous outbound connections during install and build steps.

Mapped to MITRE ATT&CK, this behavior is well understood once you know where to look. The initial vector is Supply Chain Compromise (T1195.001), compromise of software dependencies and development tools. Execution rides on Command and Scripting Interpreter (T1059) through postinstall, import, and build.rs triggers. The objective is Credentials from Password Stores (T1555), Unsecured Credentials (T1552) targeting .env files and cloud keys, and Exfiltration Over Web Service (T1567). The AI context poisoning is best understood as Prompt Injection driving the assistant toward Automated Collection (T1119). Knowing the techniques lets you write detections instead of chasing indicators that rotate by the hour.

How BlueTeamAutomation Closes the Loop

Indicator lists go stale the moment a campaign mutates, and TrapDoor was still publishing new versions when it was disclosed. The durable defense is validating that your controls actually catch this class of behavior, then automating the response. That is the full blue-team workflow BlueTeamAutomation runs end to end.

• Continuous BAS validation. BASzy emulates supply-chain execution behavior, install-time code running and reaching out to exfiltrate credentials, so you can prove whether your EDR and network controls fire before a real package does it for you.
• EDR on build agents and laptops. Endpoint detection extends to the exact hosts TrapDoor targets, flagging a postinstall hook or build script that spawns a network connection to unknown infrastructure.
• SIEM correlation. Install-time process activity, outbound connections from CI runners, and credential access events are correlated into a single signal instead of scattered noise nobody reads.
• SOAR-driven response. When the pattern matches, automated playbooks isolate the runner, revoke and rotate exposed tokens, and open the incident without waiting for a human to notice at 3am.
• Compliance evidence. Every detection, validation run, and response action is captured as audit-ready evidence, so your supply-chain controls are demonstrable rather than aspirational.

TrapDoor is a reminder that the tools labeled security are now a delivery vehicle for the opposite. The packages with the most reassuring names were the payload. Blue teams that wait for a CVE will miss this entirely. The ones that validate their detections against real supply-chain behavior and automate the response are the ones who close the window before credentials walk out the door.