SlowMist
SlowMist|May 28, 2026 08:26
✍️We have released an in-depth technical analysis report on the #TrapDoor cross-ecosystem supply chain credential theft campaign. TrapDoor was first disclosed by the @SocketSecurity on May 24. Subsequently, we conducted continuous threat hunting through our MistEye threat intelligence system and issued an early warning. The campaign spans npm, PyPI, and http://Crates.io, involving 34+ malicious packages and 384+ versions targeting developers in crypto, #DeFi, #Solana, #Sui/Move, and #AI. 🔍In this report, we selected three representative samples for detailed analysis: 🔹PyPI: git-config-sync (disguised as a Git configuration synchronization tool) 🔹npm: token-usage-tracker (disguised as a token usage tracking tool) 🔹http://Crates.io: sui-framework-helpers (disguised as a Sui Move development helper library) For each sample, we fully reconstructed the attack chain — from the entry-point trigger mechanisms (postinstall / http://init.py / http://build.rs), sensitive data collection scope, encryption and encoding methods, to the exfiltration channels and remote control infrastructure (http://ddjidd564.github.io, GitHub Gists, http://webhook.site). Special thanks to @SocketSecurity for their outstanding initial research and disclosure of the TrapDoor campaign. Salute! 👏 📖 Full technical analysis : https://medium.com/@slowmist/threat-intelligence-trapdoor-analysis-a-cross-ecosystem-supply-chain-credential-theft-operation-a9a4e11616ea(SlowMist)
Mentioned
Share To

Timeline

HotFlash

APP

X

Telegram

Facebook

Reddit

CopyLink

Hot Reads