SECURITYTHE HACKER NEWS
TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO
A coordinated cross-ecosystem supply chain attack named TrapDoor has distributed credential-stealing malware through npm, PyPI, and Crates.io, involving over 34 malicious packages across 384 versions. The campaign began on May 22, 2026, with packages published in waves from a cluster of sources.
Mentioned
Related Signal
Adjacent reporting
- SAP npm Packages Compromised by “Mini Shai-Hulud” Credential-Stealing Malware
- Shai Hulud attack ships signed malicious TanStack, Mistral npm packages
- The never-ending supply chain attacks worm into SAP npm packages, other dev tools
- New Shai-Hulud malware wave compromises 600 npm packages
- New npm supply-chain attack self-spreads to steal auth tokens
- North Korean hackers implicated in major supply chain attack