Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

The TrapDoor package malware is spreading across npm, PyPI, and Crates.io, putting developer secrets, cloud credentials, SSH keys, and crypto wallets at risk. The malware runs through postinstall hooks, import-time execution, and build.rs scripts, making compromise likely during normal development workflows. Some packages also establish persistence and attempt SSH-based lateral movement after execution.

Related Happenings

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...

Open Happening

GlassWorm supply-chain malware activity

Malware Activity
First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Open Happening

TrapDoor cross-ecosystem supply-chain campaign

Campaign
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

How related: A new coordinated cross-ecosystem software supply chain attack campaign has targeted npm, PyPI, and Crates.io to distribute credential-stealing malware.

About this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...

Open Happening

Packagist package.json hook supply chain attack campaign

Campaign
First: 23.05.2026 19:07 Last: 23.05.2026 19:07 Sources 1

About this happening: A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...

Open Happening

Laravel-Lang PHP package supply-chain credential-stealing campaign

Campaign
First: 23.05.2026 12:51 Last: 23.05.2026 12:51 Sources 1

About this happening: A **software supply-chain campaign** hit **multiple Laravel-Lang PHP packages**, putting consumers at risk of **credential theft** through tampered release tags. Malicious version...

Open Happening

Timeline

  1. 25.05.2026 08:59 1 articles · 2d ago

    TrapDoor package publication wave

    Campaign Scope Update

    Malicious TrapDoor packages were published in waves to npm, PyPI, and Crates.io starting on May 22, 2026 at 8:20 p.m. UTC, with more than 34 packages across over 384 versions targeting developers in crypto, DeFi, Solana, and AI communities and delivering credential-stealing malware.

    Show sources
    Open in new tab
  2. 25.05.2026 08:59 2 articles · 2d ago

    TrapDoor payload analysis

    Technical Analysis Update

    TrapDoor packages used postinstall hooks in npm, import-time execution in Python, and build.rs scripts in Rust to run trap-core.js or remote JavaScript from ddjidd564.github[.]io with node -e, scan for credentials and developer secrets, validate AWS and GitHub tokens, exfiltrate local keystores to GitHub Gists, plant persistence through .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH, and seed hidden instructions through GitHub pull requests on AI and developer projects.

    Show sources
    Open in new tab