Cross-Ecosystem Supply Chain Attack Targets npm, PyPI, and Crates.io with Credential Theft Malware

A new, coordinated software supply chain attack, dubbed 'TrapDoor,' has targeted major package ecosystems including npm, PyPI, and Crates.io. The campaign aims to distribute credential-stealing malware across these platforms. The attack involves more than 34 malicious packages spanning over 384 versions. Initial activity was recorded on May 22, 2026, indicating a sophisticated effort to compromise software dependencies across the development landscape.

Cross-Ecosystem Supply Chain Attack Targets npm, PyPI, and Crates.io with Credential Theft Malware

More from this section

Cross-Ecosystem Supply Chain Attack Targets npm, PyPI, and Crates.io with Credential Theft Malware

More from this section