TrapDoor Supply Chain Attack Targets Open Source Repositories
Security company Socket Security has discovered a cryptocurrency theft operation named TrapDoor, which is actively launching supply chain attacks on package repositories such as npm, PyPI, and Crates.io.
Currently, 34 malicious packages and 384 versions and components have been confirmed, with attackers continuously pushing new versions, primarily targeting developers in the cryptocurrency, AI, and security fields, capable of stealing sensitive information such as wallets, SSH keys, cloud credentials, and GitHub tokens.
Market Mechanism
Cryptocurrency and AI developers inadvertently introduce malicious packages when installing dependencies, with funds flowing from infected developers' wallets and cloud resources to attacker-controlled addresses, putting pressure on traditional open-source dependency chains, while security scanning tools and supply chain protection services benefit.
ABAB AI Insight
Socket Security and other supply chain security companies have repeatedly exposed similar malicious package incidents on npm and PyPI in recent years, having previously dealt with multiple theft operations targeting developer credentials, indicating that the open-source ecosystem has become a persistent target for attacks.
Capital is accelerating into supply chain security startups, with Socket itself recently completing significant financing. Companies are responding to risks by deploying automated scanning, SBOM, and dependency isolation technologies, strategically shifting from passive response to proactive blocking of malicious releases to protect AI and cryptocurrency development processes.
Similar to the 2018 Event-Stream incident that stole Bitcoin wallets through popular packages, and subsequent dependency confusion attacks, TrapDoor is currently at a stage where the open-source ecosystem is being forced to transition from "convenient distribution" to "security verification."
Structural Judgment
This essentially belongs to the reconstruction of the industrial chain: attackers exploit developers' trust in open-source dependencies, embedding theft mechanisms into standardized package distribution processes, leading to a shift in pricing power and control from community maintainers to professional security platforms. This change is accelerating due to the increasing number of high-value targets in the AI and cryptocurrency fields and the low barriers to release.
ABAB News · Cognitive Law
Convenience is the entry point, trust is the risk; unverified dependencies equal open backdoors.
Repetitive labor is replaced by AI, while repetitive trust is harvested by attackers.
Developers sell time, attackers sell structure; whoever controls the upstream of the chain controls the flow of wealth.