TechFlow News: On May 25, Socket Security researchers discovered a cryptocurrency-stealing supply-chain attack dubbed “TrapDoor,” spanning npm, PyPI, and Crates.io. The campaign involved over 34 malicious packages and 384 associated versions and artifacts, targeting cryptocurrency, DeFi, Solana, Sui, Move, and AI developers.
The attack samples can steal sensitive information including SSH keys, wallet data, AWS credentials, GitHub tokens, browser data, and environment variables. Specifically, npm packages execute the shared payload trap-core.js via the postinstall hook; PyPI packages execute remote JavaScript upon import; and Crates.io packages steal local keystores via build.rs. Socket has flagged all related packages as malicious and reported them to the respective package registries.
