Feed
CriticalPublished 22 May 2026Updated 26 May 202634 packages · 404 versions

TrapDoor / AuditorTrap crypto-stealer campaign across npm, PyPI and crates.io

Summary

Starting 2026-05-22 the TrapDoor / AuditorTrap campaign pushed 34+ malicious packages (384+ versions) across npm, PyPI and crates.io posing as crypto/DeFi/AI dev tools and fake "security guild" branding. Payloads steal SSH keys, cloud credentials and Solana/Sui/Aptos wallets, and hide zero-width-Unicode prompt injection in CLAUDE.md/.cursorrules to trick Claude Code and Cursor into running the stealer.

infostealercredential-theftcrypto-wallet-drainprompt-injectionobfuscationcdn-supply-chain
Detected by
Socket · Xygeni
Also known as
TrapDoor · AuditorTrap · Crypto Security Guild · Web3 Audit Collective · DeFi Security Alliance
Ecosystems
crates.ionpmPyPI
Packages tracked
34

What happened

On 2026-05-22 at 20:20:18 UTC, Socket observed the first TrapDoor package — eth-security-auditor@0.1.0 on PyPI — and the campaign expanded in waves across npm, PyPI and crates.io through the weekend. By 2026-05-25 it spanned 34+ packages and 384+ versions/artifacts, with some already pulled and others still live. Socket flagged releases in a median of roughly 5–6 minutes (fastest 58 seconds), classifying most as malicious before meaningful adoption.

Xygeni independently tracked an overlapping cluster as AuditorTrap: a 22-package fake "Web3 security guild" catalogue published by ddjidd5640 (a sibling of the ddjidd564 GitHub account Socket tied to the npm/PyPI/crates payloads), branded as the fabricated Crypto Security Guild, Web3 Audit Collective, and DeFi Security Alliance — none of which exist as real organisations; their GitHub orgs are empty shells that exist only to populate the npm "author" hyperlink. Xygeni split the catalogue into two active payload families — Variant A (8 credential-harvesting packages with a postinstall hook plus an MCP-tool scanner.js that runs when an AI agent invokes the package) and Variant B (5 Pinggy-based binary droppers) — plus one dormant tranche.

Rather than typosquatting existing libraries, TrapDoor invents plausible-sounding tools aimed at crypto, DeFi, Solana, AI and security developers. Verified npm releases include prompt-engineering-toolkit, token-usage-tracker, solidity-deploy-guard, defi-threat-scanner, eth-wallet-sentinel, wallet-security-checker, web3-secrets-detector, wallet-backup-verifier, crypto-credential-scanner, defi-env-auditor, chain-key-validator, mnemonic-safety-check, deployment-key-auditor, llm-context-compressor, model-switch-router, async-pipeline-builder, build-scripts-utils, dev-env-bootstrapper, node-setup-helpers, project-init-tools, and workspace-config-loader. PyPI mirrors the theme with eth-security-auditor, defi-risk-scanner, cryptowallet-safety, data-pipeline-check, env-loader-cli, git-config-sync, and solidity-build-guard. Crates.io hosts six Sui/Move-flavoured names (move-project-builder, sui-sdk-build-utils, sui-framework-helpers, sui-move-build-helper, move-analyzer-build, move-compiler-tools) — names that read exactly like the dev helpers, model-routing utilities, Solidity tooling and Sui/Move build helpers their targets routinely install.

Execution is ecosystem-specific. npm packages run a postinstall hook that loads trap-core.js, a ~1,149-line credential harvester and propagation tool; Rust crates abuse build.rs to locate local keystores, XOR-encrypt them with the hard-coded key cargo-build-helper-2026, and exfiltrate to GitHub Gists; PyPI packages execute at import time. Stolen data includes SSH keys, Solana/Sui/Aptos wallet keystores, AWS credentials, GitHub tokens, browser login databases, crypto-wallet extension data, environment variables, API keys and local dev configuration files.

TrapDoor's standout technique poisons AI coding assistants. The attacker plants hidden instructions — concealed with zero-width Unicode characters — inside CLAUDE.md and .cursorrules files, tricking tools like Claude Code and Cursor into running a bogus "security scan" that silently executes the stealer. The campaign is anchored to the GitHub accounts ddjidd564 / ddjidd5640 (payloads served from ddjidd564.github.io/defi-security-best-practices/) and tagged with the internal marker P-2024-001.

  • npm versions encoded below were re-verified against the npm registry API on 2026-05-26; every entry is now in a 0.0.1-security holding state, confirming npm pulled the malicious releases.
  • PyPI projects in the packages map are confirmed in PyPI admin "quarantined" status (cannot be installed, cannot be modified by maintainer) per PyPI project pages fetched 2026-05-26.
  • The six crates.io names are encoded with affectedVersions: [] (match by name only) because Socket's appendix is still rate-limited and crates.io returns 404 for the names — consistent with a yank.
  • Socket's underlying article (socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates) and Xygeni's AuditorTrap write-up remain bot-blocked (HTTP 403) at ingest time; verification was driven via npm/PyPI registry APIs, GitHub Security Advisories search, The Hacker News, gbhackers, and Cyber Kendra coverage.

Affected packages (34)

  • npmasync-pipeline-builder
    1.0.01.0.11.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1
  • npmbuild-scripts-utils
    1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1
  • npmchain-key-validator
    0.2.10.2.20.2.30.2.41.2.01.2.11.2.21.2.31.3.01.3.11.3.21.3.31.3.41.3.51.3.61.3.71.3.81.3.94.0.0
  • npmcrypto-credential-scanner
    2.0.02.0.12.0.22.0.33.0.03.0.13.0.23.0.33.1.03.1.13.1.23.1.33.1.43.1.53.1.63.1.73.1.83.1.94.0.0
  • PyPIcryptowallet-safety
  • PyPIdata-pipeline-check
    0.1.1
  • npmdefi-env-auditor
    0.3.00.3.10.3.20.3.31.3.01.3.11.3.21.3.31.4.01.4.11.4.21.4.31.4.41.4.51.4.61.4.71.4.81.4.94.0.0
  • PyPIdefi-risk-scanner
    0.1.0
  • npmdefi-threat-scanner
    2.1.02.1.12.1.22.1.33.1.03.1.13.1.23.1.33.2.03.2.13.2.23.2.33.2.43.2.53.2.63.2.73.2.84.0.0
  • npmdeployment-key-auditor
    0.7.10.7.20.7.30.7.41.7.01.7.11.7.21.7.31.8.01.8.11.8.21.8.31.8.41.8.51.8.61.8.71.8.81.8.94.0.0
  • npmdev-env-bootstrapper
    1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.2
  • PyPIenv-loader-cli
    0.1.1
  • PyPIeth-security-auditor
    0.1.0
  • npmeth-wallet-sentinel
    1.0.71.0.81.0.91.0.102.0.02.0.12.0.22.0.32.1.02.1.12.1.22.1.32.1.42.1.52.1.62.1.72.1.82.1.94.0.0
  • PyPIgit-config-sync
    0.1.1
  • npmllm-context-compressor
    1.0.01.0.11.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1
  • npmmnemonic-safety-check
    0.5.00.5.10.5.20.5.31.5.01.5.11.5.21.5.31.6.01.6.11.6.21.6.31.6.41.6.51.6.61.6.71.6.81.6.94.0.0
  • npmmodel-switch-router
    1.0.01.0.11.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1
  • crates.iomove-analyzer-build
  • crates.iomove-compiler-tools
  • crates.iomove-project-builder
  • npmnode-setup-helpers
    1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1
  • npmproject-init-tools
    1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1
  • npmprompt-engineering-toolkit
    1.0.01.0.11.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1
  • PyPIsolidity-build-guard
  • npmsolidity-deploy-guard
    0.4.20.4.30.4.40.4.51.4.01.4.11.4.21.4.31.5.01.5.11.5.21.5.31.5.41.5.51.5.61.5.71.5.84.0.0
  • crates.iosui-framework-helpers
  • crates.iosui-move-build-helper
  • crates.iosui-sdk-build-utils
  • npmtoken-usage-tracker
    1.0.01.0.11.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1
  • npmwallet-backup-verifier
    1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.114.0.0
  • npmwallet-security-checker
    1.0.11.0.21.0.31.0.42.0.02.0.12.0.22.0.32.1.02.1.12.1.22.1.32.1.42.1.52.1.62.1.72.1.84.0.0
  • npmweb3-secrets-detector
    1.2.31.2.41.2.51.2.61.2.72.2.02.2.12.2.22.2.32.3.02.3.12.3.22.3.32.3.42.3.52.3.62.3.72.3.82.3.94.0.0
  • npmworkspace-config-loader
    1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1

Impact

  • Crypto wallet theft: Solana / Sui / Aptos keystores and browser wallet-extension data
  • SSH private keys, AWS credentials, GitHub tokens, and .env / API keys exfiltrated to GitHub Gists
  • Browser login databases and local development configuration harvested
  • AI coding assistants (Claude Code, Cursor) coerced into running the stealer via hidden prompt injection in CLAUDE.md / .cursorrules
  • Install-time code execution: npm postinstall, Rust build.rs (cargo build), Python import-time
  • Variant B droppers tunnel out over Pinggy, bypassing many corporate egress controls

What to do

  1. 1Audit dependency trees for newly-added crypto/DeFi/AI "security" or "build" helper packages added since 2026-05-19 — see the packages map below for the verified name set
  2. 2Install with scripts disabled where possible (npm ci --ignore-scripts) and review build.rs in any new Rust dependency before compiling
  3. 3Inspect CLAUDE.md, .cursorrules, and other AI-assistant config files for hidden / zero-width Unicode instructions before letting an agent act on them
  4. 4Rotate any SSH keys, cloud credentials, GitHub tokens, API keys, and crypto wallet keys exposed on machines that installed a suspect package
  5. 5Block egress to ddjidd564.github.io, Pinggy tunnels (*.pinggy.link / *.free.pinggy.link), and audit GitHub Gist exfiltration; the campaign is anchored to the ddjidd564 / ddjidd5640 GitHub accounts and the internal marker P-2024-001
  6. 6Distrust the fabricated brands "Crypto Security Guild", "Web3 Audit Collective", "DeFi Security Alliance" — none of these collectives exist as real organisations

References

multi-2026-05-22-trapdoor-crypto-stealer