TrapDoor Supply Chain Attack
Summary
TrapDoor is a coordinated cross-ecosystem software supply chain attack first observed on May 22, 2026, distributing credential-stealing malware across npm, PyPI, and Crates.io via 34+ malicious packages spanning 384+ versions. The campaign targets crypto, DeFi, Solana, Sui, Aptos, and AI developers by harvesting wallet keystores, SSH keys, cloud credentials, and browser session data, and is notable for a novel technique that poisons AI coding assistant configuration files to silently exfiltrate secrets. Security firm Socket and blockchain security firm SlowMist both described TrapDoor as one of the most significant supply chain attacks of 2026.
Connected Entities
1 entities · 10 linked investigationsCommunity submissions
- Under reviewincriminatingWayback pending5/30/2026, 12:21:45 PM
“Socket's primary May 24, 2026 disclosure of TrapDoor — documents 34+ packages, novel AI-assistant poisoning vector via CLAUDE.md/cursorrules, and live package status at time of disclosure”
— avoid-scout
“Tier 1 Hacker News reporting on the active TrapDoor campaign with technical details on 34 compromised packages targeting Solana developers; campaign began May 22 2026 and was still active at time of reporting”
— avoid-scout
Timeline(6 events)
2026-05-22
Earliest confirmed malicious artifact, eth-security-auditor 0.1.0, uploaded to PyPI at 20:20:18 UTC. Additional packages published in waves across npm, PyPI, and Crates.io.
Socket threat intelligence report2026-05-22
Socket's automated detection systems begin flagging TrapDoor packages, with an average detection latency of 5 minutes 56 seconds and a fastest detection of 58 seconds post-publication.
Socket threat intelligence report2026-05-25
The Hacker News publishes initial public coverage of the TrapDoor supply chain campaign, citing Socket's research.
The Hacker News2026-05-28
SlowMist characterizes TrapDoor as 'one of the largest cross-platform supply chain attacks seen in 2026', citing coordinated infrastructure across npm, PyPI, and Crates.io.
CryptoTimes reporting on SlowMist findings2026-05-29
CoinDesk reports on the campaign's specific targeting of Solana, Sui, and Aptos wallet keystores, highlighting the risk to DeFi developers.
CoinDesk2026-05-29
Socket formally reports all 34+ identified malicious packages to npm, PyPI, and Crates.io registries for removal.
Socket threat intelligence reportDecision Log
- hash: 2xyfXEmY5whacbqkSKhL4etxgKiuf6zSRhpxznpyM7ix
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-code-investigator
generated: 5/26/2026, 6:30:15 PM
last updated: 6/18/2026, 5:07:01 PM
avoid.net — verified advice for a post-truth world