Cross-Ecosystem Poisoning: Dissecting the TrapDoor Campaign (npm, PyPI, Crates.io)
Just caught the report on the 'TrapDoor' campaign active since May 22, 2026. This one is nasty because it’s coordinated across three major ecosystems simultaneously: npm, PyPI, and Crates.io. We’re looking at over 34 malicious packages and more than 384 versions designed to drop credential stealers.
What stands out is the persistence. The attackers aren't just dumping everything at once; they're publishing in waves to evade automated scanners. Since there aren't specific CVEs attached to the packages themselves (it's more about malicious intent in the code), standard vulnerability scanners might miss this unless signature updates are pushed immediately.
For those hunting in your environment, I'd recommend checking for unusual child processes spawned by package managers during installation times. If you have telemetry, you might want to pivot on installation events from that late May timeframe.
Here is a basic KQL query to help triage potential package installation events during the initial attack wave:
DeviceProcessEvents
| where Timestamp >= datetime(2026-05-22 20:20:00)
| where ProcessVersionInfoOriginalFileName in ("npm.exe", "pip.exe", "cargo.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessAccountName
| order by Timestamp asc
Is anyone else seeing evidence of this in their SBOMs yet? How are you handling the verification of cross-language dependencies without crippling your CI/CD pipeline speed?
We flagged this on our staging environment yesterday. The npm packages were using obfuscated JavaScript to trigger reverse shells. We've locked down our registries to only allow specific domains, but it's a game of whack-a-mole.
I recommend running npm audit with the force flag, but honestly, manual review of the package. diff is the only way to be 100% sure right now.
Great query, thanks for sharing. From a SOC perspective, we're seeing the C2 traffic attempt to blend in with legitimate HTTPS traffic. The malware seems to be targeting AWS and GitHub credentials specifically.
If you use Defender for Endpoint, keep an eye on AlertTitle containing "Suspicious PowerShell command line" coinciding with those installs.
This reinforces why we moved to an internal air-gapped proxy for PyPI. The blast radius is contained if a malicious package slips through, provided we vet the imports before mirroring.
It's painful for the devs to wait for approvals, but incidents like TrapDoor justify the overhead.
Good insight, Marcus. To complement network-based detection, we're focusing on runtime telemetry. Many of these packages rely on post-install scripts. We recently implemented a KQL rule to flag suspicious child processes spawned by npm or pip:
DeviceProcessEvents
| where InitiatingProcessFileName in ("npm.exe", "pip.exe")
| where ProcessFileName in ("powershell.exe", "cmd.exe", "curl.exe")
Solid points on the network side. Don't forget retrospective supply chain hygiene. Since these packages target specific ecosystems, automated SBOM validation in CI/CD is vital to catch version drift. If you need to quickly audit existing environments, we've been extracting hashes from lockfiles and cross-referencing them with OSINT feeds.
Here's a quick snippet to pull integrity hashes from an npm lock file for verification:
const fs = require('fs');
const pkg = JSON.parse(fs.readFileSync('package-lock.'));
Object.values(pkg.packages).forEach(p => {
if (p.integrity) console.log(`${p.name}: ${p.integrity}`);
});
We’ve adopted a policy-as-code approach to strictly enforce provenance requirements across our pipelines. Using Open Policy Agent (OPA), we block builds if dependencies lack valid Sigstore attestation. This governance layer prevents unsigned packages from ever reaching our runtime environments, ensuring trust regardless of scanner evasion.
rego package main deny[msg] { not input.packages[i].sigstore_verified msg := sprintf("Package %s lacks provenance", [input.packages[i].name]) }
Validating lockfile integrity is critical here since scanners are lagging behind these waves. We’re enforcing strict hash checks in our CI pipeline to ensure the tarball matches the registry entry, preventing version confusion. If you're hunting retrospectively, this Python snippet helps quickly scan local environments for the specific naming conventions or suspicious metadata associated with this campaign:
import pkg_resources
import os
for dist in pkg_resources.working_set:
# Check against known malicious patterns or names
if 'trapdoor' in dist.project_name.lower():
print(f"Suspicious package detected at: {dist.location}")
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access