TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO

A coordinated supply-chain campaign dubbed TrapDoor published more than 34 malicious packages across npm, PyPI, and Crates.io (over 384 versions) to deliver credential-stealing malware targeting developers in crypto, DeFi, Solana, and AI communities. The packages harvest wallets, SSH keys, cloud and GitHub tokens, browser data, and environment variables; validate stolen credentials; create persistence (cron, systemd, Git/shell hooks); and enable lateral movement via SSH. Delivery techniques include npm postinstall hooks, Rust build.rs scripts, import-time execution in Python that downloads remote JavaScript hosted on attacker-controlled GitHub Pages, and PRs containing hidden instructions to manipulate AI assistants; Socket disclosed package names and indicators of compromise.