TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO
Summary
A coordinated software supply chain attack, codenamed TrapDoor, has been discovered targeting popular package managers npm, PyPI, and Crates.io. The campaign distributed credential-stealing malware through over 34 malicious packages across more than 384 versions, with initial activity dating back to May 22, 2026.
IFF Assessment
This attack specifically targets software supply chains to distribute malware, posing a direct threat to developers and organizations relying on these ecosystems.
Defender Context
Defenders need to be vigilant about the security of their software supply chains, as attackers are increasingly exploiting trusted package repositories. This campaign highlights the importance of rigorous dependency vetting, integrity checks, and awareness of potential threats hidden within open-source libraries.