Find notable cyber news and cases, enriched with sources, timelines, and signals.

TrapDoor cross-ecosystem supply-chain campaign

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

The TrapDoor supply-chain campaign has expanded across npm, PyPI, and Crates.io, using 34+ malicious packages to steal developer secrets and credentials. The operation matters because it targets developers in crypto, DeFi, Solana, and AI communities and can expose wallets, SSH keys, and cloud access. Some packages also set up persistence and SSH-based lateral movement, increasing the chance of follow-on compromise.

Related Happenings

GitHub npm version 12 hardens installs and token management

Security Tool/Service
H score11 First: 09.07.2026 19:49 Last: 09.07.2026 19:49 Sources 1

About this happening: **GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...

GitHub npm GAT publish-token mitigation guidance

Advisory/Mitigation
H score25 First: 09.07.2026 19:49 Last: 09.07.2026 19:49 Sources 1

About this happening: GitHub is steering **npm users** away from **long-lived publish tokens** as **npm GATs** that bypass **2FA** lose direct publishing and sensitive-management abilities. The recomme...

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows

Security Tool/Service
H score11 First: 23.06.2026 17:22 Last: 23.06.2026 17:22 Sources 1

About this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...

AUR package-hijacking campaign delivering atomic-lockfile

Campaign
H score11 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...

Timeline

  1. 25.05.2026 08:59 2 articles · 1mo ago

    TrapDoor cross-ecosystem supply-chain campaign

    Initial Disclosure

    The earliest known wave began on **May 22, 2026** when a cluster of accounts published malicious packages in quick succession across **npm, PyPI, and Crates.io**. The first stage relied on typosquatted developer tooling to gain execution during package installation or import.

    Show sources