TrapDoor supply-chain campaign targeted npm, PyPI, and Crates.io packages

Posted by raptorhunter22@reddit | programming | View on Reddit | 5 comments

A reported campaign called “TrapDoor” pushed malicious packages across npm, PyPI, and Crates.io, targeting developer environments for credentials like AWS keys, GitHub tokens, SSH keys, browser data, and crypto wallets. The most unusual part is the AI workflow angle: some payloads reportedly targeted files like .cursorrules and CLAUDE.md using hidden Unicode instructions.

[-]

programming-ModTeam@reddit

Content about AI and LLMs are considered off-topic with the sole exclusion of deeply technical content about implementation. See the AI policy.

[-]

ArtOfWarfare@reddit

Why am I not seeing these supply-chain attacks targeting maven repos? Are they just as common but were much worse at detecting them, or is maven much better at blocking them, or is nobody trying to go after maven like that?

Also, same question about NuGet… or whatever the .net repo is called (IDK, I never work with .net.)

[-]

Worth_Trust_3825@reddit

Because in java world we do not believe in version ranges. Even if a supply chain attack happened, nobody would notice because people aren't blindly bumping versions. It is just as susceptible to this problem, to the point where maven refused to use tls by default until 2021.

Ruby gems repositories have been attacked in the past because gems does version ranges just like pip. There aren't many ruby users though. Latest ruby supply chain attack I recall was rest-client https://github.com/rest-client/rest-client/issues/713

[-]

Yawaworth001@reddit

Llm generated report on a hack targeting llm generated packages. What a time to be alive.

[-]

ChimpScanner@reddit

Wake up babe, new supply chain attack dropped.