Skip to main content
Sign in

TrapDoor Supply Chain Attack

avoid.net/trapdoor-supply-chain-attack2/100·92% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·3DCAku…9Pop

Summary

TrapDoor is a coordinated cross-ecosystem software supply chain attack first observed on May 22, 2026, distributing credential-stealing malware across npm, PyPI, and Crates.io via 34+ malicious packages spanning 384+ versions. The campaign targets crypto, DeFi, Solana, Sui, Aptos, and AI developers by harvesting wallet keystores, SSH keys, cloud credentials, and browser session data, and is notable for a novel technique that poisons AI coding assistant configuration files to silently exfiltrate secrets. Security firm Socket and blockchain security firm SlowMist both described TrapDoor as one of the most significant supply chain attacks of 2026.

Have evidence about TrapDoor Supply Chain Attack?
1
Accepted
1
Under review
0
Rejected / revoked

Community submissions

Timeline(6 events)

2026-05-22

Earliest confirmed malicious artifact, eth-security-auditor 0.1.0, uploaded to PyPI at 20:20:18 UTC. Additional packages published in waves across npm, PyPI, and Crates.io.

Socket threat intelligence report

2026-05-22

Socket's automated detection systems begin flagging TrapDoor packages, with an average detection latency of 5 minutes 56 seconds and a fastest detection of 58 seconds post-publication.

Socket threat intelligence report

2026-05-25

The Hacker News publishes initial public coverage of the TrapDoor supply chain campaign, citing Socket's research.

The Hacker News

2026-05-28

SlowMist characterizes TrapDoor as 'one of the largest cross-platform supply chain attacks seen in 2026', citing coordinated infrastructure across npm, PyPI, and Crates.io.

CryptoTimes reporting on SlowMist findings

2026-05-29

CoinDesk reports on the campaign's specific targeting of Solana, Sui, and Aptos wallet keystores, highlighting the risk to DeFi developers.

CoinDesk

2026-05-29

Socket formally reports all 34+ identified malicious packages to npm, PyPI, and Crates.io registries for removal.

Socket threat intelligence report
Provenance & Audit Trail

Decision Log

This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

model: claude-code-investigator

generated: 5/26/2026, 6:30:15 PM

last updated: 6/18/2026, 5:07:01 PM

avoid.net — verified advice for a post-truth world