TrapDoor Supply Chain Attack Distributes Credential‑Stealing Malware Across npm, PyPI, and Crates.io
What Happened — A coordinated supply‑chain campaign codenamed TrapDoor published 34 malicious packages (over 384 versions) to the npm, PyPI, and Crates.io ecosystems. The packages contain credential‑stealing payloads that execute on install, harvesting API keys, tokens, and other secrets from developer environments. Activity began on 22 May 2026 and has been released in timed waves.
Why It Matters for TPRM —
- Third‑party code libraries are a common vector for credential compromise, exposing downstream customers to data theft.
- Compromise of build pipelines can cascade into multiple SaaS and on‑prem applications, inflating risk across the supply chain.
- Continuous monitoring of open‑source dependencies is now a mandatory control for any organization that builds software.
Who Is Affected — Technology & SaaS vendors, cloud‑native developers, DevOps teams, and any organization that consumes open‑source packages from npm, PyPI, or Crates.io.
Recommended Actions —
- Conduct an immediate inventory of all dependencies sourced from the three registries.
- Block or quarantine any of the identified malicious package versions.
- Rotate all credentials that may have been exposed and enforce secret‑scanning in CI pipelines.
- Strengthen SBOM (Software Bill of Materials) processes and adopt automated dependency monitoring tools.
Technical Notes — Attack vector: compromised third‑party dependencies (malicious packages). No specific CVE; the payload uses native OS commands to locate and exfiltrate credential files, then contacts a C2 server over HTTPS. Data types stolen include API keys, cloud access tokens, and SSH private keys. Source: https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html