A malicious package campaign across npm, PyPI, and Crates.io has put developer workstations back under scrutiny, after researchers said it targeted developer workflows and AI coding assistant files.
Researchers at Socket said the campaign, which they are tracking as TrapDoor, “spans more than 34 malicious packages and 384+ related versions and artifacts” across the three open-source ecosystems.
The packages were designed to steal developer secrets, including AWS credentials, GitHub tokens, SSH keys, browser data, environment variables, crypto wallets, and local development configuration files, according to Socket.
The findings indicate a bigger concern than just another malicious package incident. Developer environments increasingly sit at the intersection of source code, cloud infrastructure, CI/CD pipelines, AI coding tools, and privileged credentials. A compromise of one workstation can therefore give attackers a foothold beyond the developer’s machine.
The packages used execution points that are common in normal software development workflows. In npm, the malware relied on postinstall scripts. In PyPI, it used import-time execution to fetch and run remote JavaScript. In Crates.io, it abused Rust build scripts that execute during compilation. That makes the campaign harder to detect using controls focused on a single programming language or package registry.
TrapDoor also appears to reflect attackers’ growing interest in AI-assisted development environments. Socket said the campaign attempted to alter files used by AI coding tools, including .cursorrules and CLAUDE.md, using hidden Unicode instructions.
The apparent strategy was to trick AI assistants into running security-scan-like workflows that could lead to secret discovery and exfiltration.
That use of ordinary development mechanisms is what makes the campaign difficult to treat as a conventional malware incident, analysts said.
“TrapDoor represents a shift from opportunistic package abuse toward workflow-level compromise of developer environments,” said Sakshi Grover, senior research manager for IDC Asia Pacific Cybersecurity Services. “Earlier campaigns typically placed a malicious package, stole credentials on install, and moved on. TrapDoor is engineered around the full developer workflow, meaning the attack extends well beyond the package registry.”
Grover said the campaign’s cross-registry design makes it harder to spot from a single ecosystem view, since the malicious packages used the normal execution mechanisms of npm, PyPI, and Crates.io. The more serious concern, she said, is what happens after installation, when the malware attempts to persist on the developer machine and potentially use stolen SSH keys to move deeper into engineering systems.
“A single compromised workstation can quietly become an entry point into CI/CD pipelines and build infrastructure,” Grover said. “That’s not credential theft. That’s an initial access operation.”
Sanchit Vir Gogia, chief analyst at Greyhound Research, noted that the campaign is distinctive because it demonstrates an intimate understanding of how modern software is built.
“It does not stop at stealing credentials from one poisoned dependency,” Gogia said. “It targets the wider developer operating environment: package managers, AI coding assistants, Git hooks, shell profiles, SSH trust relationships, browser sessions, cloud credentials, CI/CD pathways, and the local workflow artifacts that developers and machines increasingly treat as legitimate context.”
Mitigation strategies
Gogia said the issue is no longer just endpoint security, but control over the systems and workflows that produce enterprise software.
“Developer environments must be treated as production-adjacent infrastructure,” Gogia said. “They carry code, secrets, identity, automation, cloud access, and now machine reasoning context. If an attacker owns the developer environment, they are not merely stealing a password. They are sitting beside the machinery that creates enterprise software.”
Mitigation starts with stronger controls around dependency installation and package behavior, according to Grover.
“Lockfiles alone don’t protect you,” she said. “You need automated scanning at install time against known-malicious packages and behavioral signals like unexpected postinstall scripts, remote payload fetching, or unusual network calls.”
Grover said least-privilege access for developer credentials is equally important, including scoped, short-lived keys and secrets management practices that avoid leaving credentials in environment variables or configuration files.
“If an attacker gets a key and it can’t move laterally, the campaign stalls,” she added.
Keith Prabhu, founder and CEO at Confidis, said CISOs should also prioritize hardened developer endpoints, package allowlisting, AI tooling governance, and zero-trust controls within local development environments.