TrapDoor / AuditorTrap crypto-stealer campaign across npm, PyPI and crates.io
Starting 2026-05-22 the TrapDoor / AuditorTrap campaign pushed 34+ malicious packages (384+ versions) across npm, PyPI and crates.io posing as crypto/DeFi/AI dev tools and fake "security guild" branding. Payloads steal SSH keys, cloud credentials and Solana/Sui/Aptos wallets, and hide zero-width-Unicode prompt injection in CLAUDE.md/.cursorrules to trick Claude Code and Cursor into running the stealer.
- Detected by
- Socket · Xygeni
- Also known as
- TrapDoor · AuditorTrap · Crypto Security Guild · Web3 Audit Collective · DeFi Security Alliance
- Ecosystems
- crates.ionpmPyPI
- Packages tracked
- 34
What happened
On 2026-05-22 at 20:20:18 UTC, Socket observed the first TrapDoor package — eth-security-auditor@0.1.0 on PyPI — and the campaign expanded in waves across npm, PyPI and crates.io through the weekend. By 2026-05-25 it spanned 34+ packages and 384+ versions/artifacts, with some already pulled and others still live. Socket flagged releases in a median of roughly 5–6 minutes (fastest 58 seconds), classifying most as malicious before meaningful adoption.
Xygeni independently tracked an overlapping cluster as AuditorTrap: a 22-package fake "Web3 security guild" catalogue published by ddjidd5640 (a sibling of the ddjidd564 GitHub account Socket tied to the npm/PyPI/crates payloads), branded as the fabricated Crypto Security Guild, Web3 Audit Collective, and DeFi Security Alliance — none of which exist as real organisations; their GitHub orgs are empty shells that exist only to populate the npm "author" hyperlink. Xygeni split the catalogue into two active payload families — Variant A (8 credential-harvesting packages with a postinstall hook plus an MCP-tool scanner.js that runs when an AI agent invokes the package) and Variant B (5 Pinggy-based binary droppers) — plus one dormant tranche.
Rather than typosquatting existing libraries, TrapDoor invents plausible-sounding tools aimed at crypto, DeFi, Solana, AI and security developers. Verified npm releases include prompt-engineering-toolkit, token-usage-tracker, solidity-deploy-guard, defi-threat-scanner, eth-wallet-sentinel, wallet-security-checker, web3-secrets-detector, wallet-backup-verifier, crypto-credential-scanner, defi-env-auditor, chain-key-validator, mnemonic-safety-check, deployment-key-auditor, llm-context-compressor, model-switch-router, async-pipeline-builder, build-scripts-utils, dev-env-bootstrapper, node-setup-helpers, project-init-tools, and workspace-config-loader. PyPI mirrors the theme with eth-security-auditor, defi-risk-scanner, cryptowallet-safety, data-pipeline-check, env-loader-cli, git-config-sync, and solidity-build-guard. Crates.io hosts six Sui/Move-flavoured names (move-project-builder, sui-sdk-build-utils, sui-framework-helpers, sui-move-build-helper, move-analyzer-build, move-compiler-tools) — names that read exactly like the dev helpers, model-routing utilities, Solidity tooling and Sui/Move build helpers their targets routinely install.
Execution is ecosystem-specific. npm packages run a postinstall hook that loads trap-core.js, a ~1,149-line credential harvester and propagation tool; Rust crates abuse build.rs to locate local keystores, XOR-encrypt them with the hard-coded key cargo-build-helper-2026, and exfiltrate to GitHub Gists; PyPI packages execute at import time. Stolen data includes SSH keys, Solana/Sui/Aptos wallet keystores, AWS credentials, GitHub tokens, browser login databases, crypto-wallet extension data, environment variables, API keys and local dev configuration files.
TrapDoor's standout technique poisons AI coding assistants. The attacker plants hidden instructions — concealed with zero-width Unicode characters — inside CLAUDE.md and .cursorrules files, tricking tools like Claude Code and Cursor into running a bogus "security scan" that silently executes the stealer. The campaign is anchored to the GitHub accounts ddjidd564 / ddjidd5640 (payloads served from ddjidd564.github.io/defi-security-best-practices/) and tagged with the internal marker P-2024-001.
- npm versions encoded below were re-verified against the npm registry API on 2026-05-26; every entry is now in a
0.0.1-securityholding state, confirming npm pulled the malicious releases. - PyPI projects in the packages map are confirmed in PyPI admin "quarantined" status (cannot be installed, cannot be modified by maintainer) per PyPI project pages fetched 2026-05-26.
- The six crates.io names are encoded with
affectedVersions: [](match by name only) because Socket's appendix is still rate-limited and crates.io returns 404 for the names — consistent with a yank. - Socket's underlying article (
socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates) and Xygeni's AuditorTrap write-up remain bot-blocked (HTTP 403) at ingest time; verification was driven via npm/PyPI registry APIs, GitHub Security Advisories search, The Hacker News, gbhackers, and Cyber Kendra coverage.
Affected packages (34)
- npm
async-pipeline-builder1.0.01.0.11.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1 - npm
build-scripts-utils1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1 - npm
chain-key-validator0.2.10.2.20.2.30.2.41.2.01.2.11.2.21.2.31.3.01.3.11.3.21.3.31.3.41.3.51.3.61.3.71.3.81.3.94.0.0 - npm
crypto-credential-scanner2.0.02.0.12.0.22.0.33.0.03.0.13.0.23.0.33.1.03.1.13.1.23.1.33.1.43.1.53.1.63.1.73.1.83.1.94.0.0 - PyPI
cryptowallet-safety - PyPI
data-pipeline-check0.1.1 - npm
defi-env-auditor0.3.00.3.10.3.20.3.31.3.01.3.11.3.21.3.31.4.01.4.11.4.21.4.31.4.41.4.51.4.61.4.71.4.81.4.94.0.0 - PyPI
defi-risk-scanner0.1.0 - npm
defi-threat-scanner2.1.02.1.12.1.22.1.33.1.03.1.13.1.23.1.33.2.03.2.13.2.23.2.33.2.43.2.53.2.63.2.73.2.84.0.0 - npm
deployment-key-auditor0.7.10.7.20.7.30.7.41.7.01.7.11.7.21.7.31.8.01.8.11.8.21.8.31.8.41.8.51.8.61.8.71.8.81.8.94.0.0 - npm
dev-env-bootstrapper1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.2 - PyPI
env-loader-cli0.1.1 - PyPI
eth-security-auditor0.1.0 - npm
eth-wallet-sentinel1.0.71.0.81.0.91.0.102.0.02.0.12.0.22.0.32.1.02.1.12.1.22.1.32.1.42.1.52.1.62.1.72.1.82.1.94.0.0 - PyPI
git-config-sync0.1.1 - npm
llm-context-compressor1.0.01.0.11.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1 - npm
mnemonic-safety-check0.5.00.5.10.5.20.5.31.5.01.5.11.5.21.5.31.6.01.6.11.6.21.6.31.6.41.6.51.6.61.6.71.6.81.6.94.0.0 - npm
model-switch-router1.0.01.0.11.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1 - crates.io
move-analyzer-build - crates.io
move-compiler-tools - crates.io
move-project-builder - npm
node-setup-helpers1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1 - npm
project-init-tools1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1 - npm
prompt-engineering-toolkit1.0.01.0.11.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1 - PyPI
solidity-build-guard - npm
solidity-deploy-guard0.4.20.4.30.4.40.4.51.4.01.4.11.4.21.4.31.5.01.5.11.5.21.5.31.5.41.5.51.5.61.5.71.5.84.0.0 - crates.io
sui-framework-helpers - crates.io
sui-move-build-helper - crates.io
sui-sdk-build-utils - npm
token-usage-tracker1.0.01.0.11.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1 - npm
wallet-backup-verifier1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.114.0.0 - npm
wallet-security-checker1.0.11.0.21.0.31.0.42.0.02.0.12.0.22.0.32.1.02.1.12.1.22.1.32.1.42.1.52.1.62.1.72.1.84.0.0 - npm
web3-secrets-detector1.2.31.2.41.2.51.2.61.2.72.2.02.2.12.2.22.2.32.3.02.3.12.3.22.3.32.3.42.3.52.3.62.3.72.3.82.3.94.0.0 - npm
workspace-config-loader1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1
Impact
- Crypto wallet theft: Solana / Sui / Aptos keystores and browser wallet-extension data
- SSH private keys, AWS credentials, GitHub tokens, and
.env/ API keys exfiltrated to GitHub Gists - Browser login databases and local development configuration harvested
- AI coding assistants (Claude Code, Cursor) coerced into running the stealer via hidden prompt injection in
CLAUDE.md/.cursorrules - Install-time code execution: npm
postinstall, Rustbuild.rs(cargo build), Python import-time - Variant B droppers tunnel out over Pinggy, bypassing many corporate egress controls
What to do
- 1Audit dependency trees for newly-added crypto/DeFi/AI "security" or "build" helper packages added since 2026-05-19 — see the packages map below for the verified name set
- 2Install with scripts disabled where possible (
npm ci --ignore-scripts) and reviewbuild.rsin any new Rust dependency before compiling - 3Inspect
CLAUDE.md,.cursorrules, and other AI-assistant config files for hidden / zero-width Unicode instructions before letting an agent act on them - 4Rotate any SSH keys, cloud credentials, GitHub tokens, API keys, and crypto wallet keys exposed on machines that installed a suspect package
- 5Block egress to
ddjidd564.github.io, Pinggy tunnels (*.pinggy.link/*.free.pinggy.link), and audit GitHub Gist exfiltration; the campaign is anchored to theddjidd564/ddjidd5640GitHub accounts and the internal markerP-2024-001 - 6Distrust the fabricated brands "Crypto Security Guild", "Web3 Audit Collective", "DeFi Security Alliance" — none of these collectives exist as real organisations
References
- SocketTrapDoor crypto stealer supply chain attack hits 34 packages across npm, PyPI, and crates.iosocket.dev
- XygeniAuditorTrap: a 22-package fake crypto security guild on npm with two parallel payloadsxygeni.io
- The Hacker NewsTrapDoor supply chain attack spreads credential-stealing malware via npm, PyPI, and CratesIOthehackernews.com
- Cyber KendraMalicious packages on npm, PyPI, and Crates.io steal crypto wallets, SSH keys, and cloud credentialscyberkendra.com
- CryptikaHackers compromised 34 packages in npm, PyPI, and crates in new supply chain attackcryptika.com