Threats

TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO

A coordinated supply chain attack campaign dubbed TrapDoor has distributed 34 malicious packages across three major package registries — npm (JavaScript), PyPI (Python), and Crates.io (Rust) — targeting developer credentials and environment secrets. The multi-registry approach demonstrates threat actors' recognition that modern development pipelines span multiple languages and that compromising any one dependency can provide access to CI/CD secrets and production infrastructure. The malicious packages used typosquatting and dependency confusion techniques to maximize installation rates. Once installed, the packages exfiltrated environment variables, SSH keys, cloud credentials, and browser-stored passwords. Organizations should audit their dependency trees across all language ecosystems for the identified malicious packages and implement automated dependency scanning to detect similar attacks before they reach production pipelines.

View on Graph

Overview

  • A coordinated supply chain attack campaign dubbed TrapDoor has distributed 34 malicious packages across three major package registries — npm (JavaScript), PyPI (Python), and Crates.io (Rust) — targeting developer credentials and environment secrets.
  • The multi-registry approach demonstrates threat actors’ recognition that modern development pipelines span multiple languages and that compromising any one dependency can provide access to CI/CD secrets and production infrastructure.
  • The malicious packages used typosquatting and dependency confusion techniques to maximize installation rates.
  • Once installed, the packages exfiltrated environment variables, SSH keys, cloud credentials, and browser-stored passwords.
  • Organizations should audit their dependency trees across all language ecosystems for the identified malicious packages and implement automated dependency scanning to detect similar attacks before they reach production pipelines.

Sources