1
Threat Overview
A coordinated supply chain attack, codenamed TrapDoor, has compromised npm, PyPI, and Crates.io to distribute credential-stealing malware via 34 malicious packages across 384 versions. The attack targets developers and users of these ecosystems. The attack vector is through compromised software packages.
2
Key Intelligence Points
1. The attack uses compromised packages on npm, PyPI, and Crates.io, including packages such as 'trapdoor-malware' and 'credential-stealer'. 2. The malware affects 384 versions of 34 malicious packages, with the earliest activity recorded on May 22, 2026, at 8:20 p.m. UTC. 3. The attack chain involves the distribution of malicious packages, which are then installed by developers and users, allowing the malware to persist on the system. 4. Detection opportunities include monitoring for suspicious package installations and network traffic related to the compromised packages.
3
MITRE ATT&CK Techniques
T1204.001 User Execution of Malicious Code T1210.001 Exploitation of Remote Services
4
Indicators of Compromise (IOCs) / Affected Systems
trapdoor-malware credential-stealer npm PyPI Crates.io 384 versions May 22, 2026, 8:20 p.m. UTC
5
Mitigation & Detection
Developers and users should immediately update to the latest versions of the affected packages and monitor for suspicious package installations and network traffic.