TrapDoor Supply Chain Attack Steals Credentials via npm, PyPI

Emily Davis · 2026-05-25

A new coordinated software supply chain attack campaign has hit npm, PyPI, and Crates.io, spreading malware that steals credentials. The campaign, called TrapDoor, involves over 34 malicious packages across more than 384 versions. The earliest signs of activity were spotted on May 22, 2026, at 8:20 p.m. UTC. Packages have been released in waves, targeting developers who rely on these ecosystems. ### How TrapDoor Works TrapDoor is a cross-ecosystem attack. It doesn't just target one package manager. It spreads across npm, PyPI, and Crates.io, making it harder to catch. The malware is designed to steal credentials like login details and API keys. Once installed, it can silently exfiltrate data from your system. - **npm**: Used for JavaScript and Node.js projects - **PyPI**: The go-to for Python packages - **Crates.io**: The Rust package registry Attackers publish malicious packages that look legitimate. They often use typosquatting or similar names to trick developers. For example, a package named "log4j" instead of "log4j" could slip through. ### What Makes This Campaign Different This isn't a single-point attack. It's a coordinated effort across multiple ecosystems. The packages were published in waves, suggesting a well-organized group behind it. The earliest activity dates back to May 2026, meaning it's been active for months. Over 384 versions of these malicious packages exist, each potentially carrying the same malware. > "Supply chain attacks like TrapDoor are becoming more common. Developers need to be vigilant about what they install." - Emily Davis, Head of Digital Privacy at Antidetectbrowsershub ### Protecting Yourself from TrapDoor You don't have to be a victim. There are steps you can take to stay safe. First, always verify the source of a package. Check the publisher's history and downloads. Second, use tools that scan for known vulnerabilities. Third, consider using an antidetect browser to isolate your development environment. An antidetect browser creates a separate digital fingerprint for your work. This means even if malware gets on one machine, your credentials stay safe. It's like having a clean room for sensitive tasks. ### Why Antidetect Browsers Matter In the world of software development, your credentials are gold. Attackers want them to access your code repositories, cloud services, and more. An antidetect browser helps by masking your real browser fingerprint. It makes it harder for malware to track what you do. For professionals dealing with supply chain risks, this extra layer of security is worth considering. ### Final Thoughts The TrapDoor campaign is a reminder that supply chain attacks are evolving. They're no longer just about one platform. Developers need to stay alert and use the right tools. Whether it's verifying packages or using an antidetect browser, every step counts. Stay safe out there.