TrapDoor trap-core.js credential-stealing package malware
Malware Activity
Summary
Hide ▲
Show ▼
The TrapDoor package malware is spreading across npm, PyPI, and Crates.io, putting developer secrets, cloud credentials, SSH keys, and crypto wallets at risk. The malware runs through postinstall hooks, import-time execution, and build.rs scripts, making compromise likely during normal development workflows. Some packages also establish persistence and attempt SSH-based lateral movement after execution.
Related Happenings
Malicious npm and PyPI payment SDK typosquat packages
Malware Activity
H score40
First: 09.07.2026 18:09
Last: 09.07.2026 18:09
Sources 1
About this happening:
The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...
Malicious npm and PyPI payment SDK typosquat packages
Malware ActivityAbout this happening: The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...
Rollup polyfill npm package malware activity for remote access and data theft
Malware Activity
H score16
First: 03.07.2026 19:07
Last: 03.07.2026 19:07
Sources 1
About this happening:
**Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Rollup polyfill npm package malware activity for remote access and data theft
Malware ActivityAbout this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Operation Navy Ghost PyPI supply-chain campaign
Campaign
H score26
First: 01.07.2026 00:02
Last: 01.07.2026 00:02
Sources 1
About this happening:
The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...
Operation Navy Ghost PyPI supply-chain campaign
CampaignAbout this happening: The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware Activity
H score30
First: 29.06.2026 08:36
Last: 29.06.2026 08:36
Sources 1
About this happening:
Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware ActivityAbout this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware Activity
H score36
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware ActivityAbout this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
Timeline
-
25.05.2026 08:59 1 articles · 1mo ago
TrapDoor package publication wave
Campaign Scope UpdateMalicious TrapDoor packages were published in waves to npm, PyPI, and Crates.io starting on May 22, 2026 at 8:20 p.m. UTC, with more than 34 packages across over 384 versions targeting developers in crypto, DeFi, Solana, and AI communities and delivering credential-stealing malware.
Show sources
- TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO — thehackernews.com — 25.05.2026 08:59
-
25.05.2026 08:59 2 articles · 1mo ago
TrapDoor payload analysis
Technical Analysis UpdateTrapDoor packages used postinstall hooks in npm, import-time execution in Python, and build.rs scripts in Rust to run trap-core.js or remote JavaScript from ddjidd564.github[.]io with node -e, scan for credentials and developer secrets, validate AWS and GitHub tokens, exfiltrate local keystores to GitHub Gists, plant persistence through .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH, and seed hidden instructions through GitHub pull requests on AI and developer projects.
Show sources
- TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO — thehackernews.com — 25.05.2026 08:59
- TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO — thehackernews.com — 25.05.2026 08:59