Find notable cyber news and cases, enriched with sources, timelines, and signals.

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

The TrapDoor package malware is spreading across npm, PyPI, and Crates.io, putting developer secrets, cloud credentials, SSH keys, and crypto wallets at risk. The malware runs through postinstall hooks, import-time execution, and build.rs scripts, making compromise likely during normal development workflows. Some packages also establish persistence and attempt SSH-based lateral movement after execution.

Related Happenings

Malicious npm and PyPI payment SDK typosquat packages

Malware Activity
H score40 First: 09.07.2026 18:09 Last: 09.07.2026 18:09 Sources 1

About this happening: The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...

Operation Navy Ghost PyPI supply-chain campaign

Campaign
H score26 First: 01.07.2026 00:02 Last: 01.07.2026 00:02 Sources 1

About this happening: The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity

Malware Activity
H score36 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...

Timeline

  1. 25.05.2026 08:59 1 articles · 1mo ago

    TrapDoor package publication wave

    Campaign Scope Update

    Malicious TrapDoor packages were published in waves to npm, PyPI, and Crates.io starting on May 22, 2026 at 8:20 p.m. UTC, with more than 34 packages across over 384 versions targeting developers in crypto, DeFi, Solana, and AI communities and delivering credential-stealing malware.

    Show sources
  2. 25.05.2026 08:59 2 articles · 1mo ago

    TrapDoor payload analysis

    Technical Analysis Update

    TrapDoor packages used postinstall hooks in npm, import-time execution in Python, and build.rs scripts in Rust to run trap-core.js or remote JavaScript from ddjidd564.github[.]io with node -e, scan for credentials and developer secrets, validate AWS and GitHub tokens, exfiltrate local keystores to GitHub Gists, plant persistence through .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH, and seed hidden instructions through GitHub pull requests on AI and developer projects.

    Show sources