Malware Hits npm, PyPI, Crates.io
TL;DR: A coordinated supply chain attack named TrapDoor has been discovered across npm, PyPI, and Crates.io. The campaign used over 34 malicious packages to distribute credential-stealing malware, highlighting ongoing risks in open-source registries and the developers who rely on them.
Key facts
- Category
- Cybersecurity
- Impact
- Critical
- Published
- Source
- The Hacker News
Full summary
A new supply chain attack called TrapDoor is spreading credential-stealing malware through malicious packages on npm, PyPI, and Crates.io.
A coordinated software supply chain attack, codenamed TrapDoor, has been identified across three major package registries: npm, PyPI, and Crates.io. The campaign involves the distribution of credential-stealing malware through more than 34 malicious packages, published in over 384 different versions. Security researchers noted that the earliest activity related to this campaign was recorded on May 22, 2026. The attackers published the malicious packages in waves, indicating a planned and persistent effort to compromise developer environments. This cross-ecosystem approach targets developers working with JavaScript, Python, and Rust, significantly broadening the potential attack surface.
This attack highlights a critical vulnerability in the modern software development lifecycle, which relies heavily on open-source packages. By compromising these registries, attackers can inject malicious code directly into development and production environments. The primary goal of the TrapDoor malware is to steal credentials, such as API keys, passwords, and other sensitive secrets stored on developer machines. For businesses, this can lead to unauthorized access to internal systems, data breaches, and significant financial or reputational damage. The incident serves as a stark reminder for security and engineering teams to scrutinize dependencies and implement strong security controls.
⚡ Action needed
Developers and security teams should audit their project dependencies for any of the malicious packages identified in the TrapDoor campaign. Remove any identified packages immediately and rotate any credentials that may have been exposed on affected systems.
Action checklist
- 1Review project dependencies on npm, PyPI, and Crates.io.
- 2Identify and remove any packages associated with the TrapDoor campaign.
- 3Scan developer machines and CI/CD environments for compromise.
- 4Rotate all developer credentials, API keys, and other secrets.
- 5Implement stricter dependency vetting and security policies.
Tags
Related on Notifire
Primary source: The Hacker News