TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io

Socket researchers have uncovered an active supply chain attack named TrapDoor, targeting the npm, PyPI, and Crates.io ecosystems with over 34 malicious packages and 384 associated versions. This campaign is designed to steal developer secrets, crypto wallets, SSH keys, cloud credentials, and other sensitive data by masquerading as generic developer tools. It uses ecosystem-specific execution paths, such as postinstall hooks in npm, import-time execution in PyPI, and build.rs scripts in Crates.io, to infiltrate developer environments. The attack is particularly aimed at communities involved in crypto, DeFi, Solana, and AI, using a shared payload, trap-core.js, to scan for and validate credentials and plant persistence mechanisms. The campaign exhibits coordinated infrastructure, with ties across all three ecosystems, and is linked to the GitHub account ddjidd564, which hosts attacker-authored material and opens pull requests to inject malicious AI-targeted instructions into open-source projects. The attack emphasizes the evolving nature of supply chain threats that leverage the entire developer workflow, with Socket detecting the campaign through cross-registry analysis.