ctipilot.ch

TrapDoor

campaign · campaign:trapdoor single-source

Cross-ecosystem supply-chain campaign (npm / PyPI / Crates.io) featuring AI-assistant configuration poisoning.

Coverage timeline
5
first 2026-05-25 → last 2026-06-01
Peak priority
high
3 high · 2 notable
Sources cited
16
8 hosts
Sections touched
3
active-threats, weekly-long-running, weekly-multi-day
Co-occurring entities
2
see Related entities below
ATT&CK techniques
17
pinned v19.1 · see below
2026-05-255 appearances2026-06-01

ATT&CK techniques

17 techniques observed across 3 entries — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1195Supply Chain Compromise×1

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.

Evidence: 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

T1195.001Supply Chain Compromise: Compromise Software Dependencies and Development Tools×1

Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications, such as pip and NPM packages, may be targeted as a means to add malicious code to users of the dependency. This may also include abandoned packages, which in some cases could be re-registered by threat actors after being removed by adversaries. Adversaries may also employ "typosquatting" or name-confusion by choosing names similar to existing popular libraries or packages in order to deceive a user.

Evidence: 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

T1195.002Supply Chain Compromise: Compromise Software Supply Chain×2

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

Evidence: 2026-06-01/two-concurrent-npm-dependency-confusion-campaigns-target-int · 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

T1566Phishing×1

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Evidence: 2026-05-26/acr-stealer-distributed-through-counterfeit-claude-ai-downlo · ATT&CK page ↗

T1566.002Phishing: Spearphishing Link×1

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

Evidence: 2026-05-26/acr-stealer-distributed-through-counterfeit-claude-ai-downlo · ATT&CK page ↗

Execution TA0002

T1053Scheduled Task/Job×1

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.

Evidence: 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

T1053.003Scheduled Task/Job: Cron×1

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

Evidence: 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

T1059Command and Scripting Interpreter×2

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

Evidence: 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · 2026-05-26/acr-stealer-distributed-through-counterfeit-claude-ai-downlo · ATT&CK page ↗

T1059.001Command and Scripting Interpreter: PowerShell×1

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

Evidence: 2026-05-26/acr-stealer-distributed-through-counterfeit-claude-ai-downlo · ATT&CK page ↗

T1059.004Command and Scripting Interpreter: Unix Shell×1

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

Evidence: 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

Persistence TA0003

T1053Scheduled Task/Job×1

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.

Evidence: 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

T1053.003Scheduled Task/Job: Cron×1

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

Evidence: 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

Privilege Escalation TA0004

T1053Scheduled Task/Job×1

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.

Evidence: 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

T1053.003Scheduled Task/Job: Cron×1

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

Evidence: 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

Credential Access TA0006

T1552Unsecured Credentials×1

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Shell History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).

Evidence: 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

T1552.001Unsecured Credentials: Credentials In Files×1

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

Evidence: 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

Discovery TA0007

T1082System Information Discovery×1

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from Local Storage Discovery which is an adversary's discovery of local drive, disks and/or volumes.

Evidence: 2026-06-01/two-concurrent-npm-dependency-confusion-campaigns-target-int · ATT&CK page ↗

T1083File and Directory Discovery×1

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Evidence: 2026-06-01/two-concurrent-npm-dependency-confusion-campaigns-target-int · ATT&CK page ↗

T1614System Location Discovery×1

Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Evidence: 2026-06-01/two-concurrent-npm-dependency-confusion-campaigns-target-int · ATT&CK page ↗

Lateral Movement TA0008

T1021Remote Services×1

Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

Evidence: 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

T1021.004Remote Services: SSH×1

Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.

Evidence: 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

Story timeline

  1. 2026-06-01Two concurrent npm dependency-confusion campaigns target internal corporate namespaces
    active-threats
  2. 2026-05-26"TrapDoor" cross-ecosystem supply-chain campaign validates stolen tokens before exfil and poisons AI-assistant config files
    active-threats
  3. 2026-05-26ACR Stealer distributed through counterfeit Claude AI download pages promoted by malicious search ads
    active-threats
  4. 2026-05-25Mini Shai-Hulud / TrapDoor — the supply-chain worm goes cross-ecosystem, open-source and destructive
    weekly-multi-day
  5. 2026-05-25Mini Shai-Hulud / TeamPCP — @antv npm wave and confirmed Maven Central poisoning; Cargo still un-hit
    weekly-long-running

Where this entity is cited

  • active-threats3
  • weekly-long-running1
  • weekly-multi-day1

Source distribution

  • attack.mitre.org8 (50%)
  • isc.sans.edu2 (12%)
  • microsoft.com1 (6%)
  • ox.security1 (6%)
  • socket.dev1 (6%)
  • sonatype.com1 (6%)
  • thehackernews.com1 (6%)
  • wiz.io1 (6%)

Related entities

All cited sources (16)

Entries about TrapDoor (5)

2026-06-01 · view entry permalink →

HIGH

Two concurrent npm dependency-confusion campaigns target internal corporate namespaces

Microsoft Threat Intelligence and Sonatype each documented coordinated npm dependency-confusion campaigns in the window, both distinct from the Mini Shai-Hulud / TrapDoor typosquat activity covered last week. Microsoft (published 2026-05-30) detailed malicious packages pushed in two bursts on 28–29 May by three maintainer aliases (mr.4nd3r50n, ce-rwb, t-in-one) — its post is titled for the initial 33, while the body enumerates 45 across the two waves (26 + 7 + 12 by alias) — impersonating internal packages across nine organisational scopes and spoofing internal-infrastructure URLs (GitHub Enterprise, Jira, docs portals) in package.json homepage/repository/bugs fields to survive manual review (Microsoft Threat Intelligence, 2026-05-30). The vector is classic dependency confusion: packages published to the public registry under inflated versions (100.100.100, 3.5.22) win npm's resolution race against private-registry equivalents whenever the consuming project's .npmrc is not scope-locked. The postinstall stager (obfuscator.io, ~7–13 KB across the two waves) carries a kill switch (T_IN_ONE_NO_TELEMETRY) and a run-once marker (~/.cache/._t-in-one_init/), fingerprints OS, and specifically detects CI/CD environments before pulling a second-stage reconnaissance payload — a two-phase design that profiles before any credential theft, frustrating payload-signature detection. Microsoft reports the offending repositories and accounts were taken down.

Separately, Sonatype documented a larger 176-package campaign (tracked Sonatype-2026-003429) using version 99.99.99 to beat private-registry precedence, with postinstall scripts likewise targeting developer and CI/CD environments; Sonatype reported Russian-language comments and coordinated infrastructure across the package set (Sonatype, 2026-05-28). The language artefact is Sonatype's observation, not an attribution. Mapped to T1195.002 Compromise Software Supply Chain with discovery TTPs (T1082, T1083, T1614) in the recon payload.

Why it matters to us: Any organisation that consumes private npm packages internally and has not scope-locked .npmrc is in scope — Swiss/EU eGovernment software factories and research institutions maintaining internal Node.js tooling included, and the CI/CD-detection logic specifically flags build pipelines as higher-value follow-on targets.

threat01 Jun 05:00Zmulti-sourceOpen finding ↗

2026-05-26 · view entry permalink →

NOTABLE

ACR Stealer distributed through counterfeit Claude AI download pages promoted by malicious search ads

SANS ISC handler Brad Duncan documented a delivery chain that impersonates Anthropic's Claude desktop app via counterfeit "Download for Windows" pages, promoted through malicious search ads hosted on sites.google.com, ultimately dropping ACR Stealer (SANS Internet Storm Center, 2026-05-26). Clicking the download button delivers a corrupted ZIP archive containing obfuscated PowerShell; the infection chain also involves a JPEG image whose precise role the SANS ISC analyst could not characterise (no embedded data was identified in it), and ends in execution of the commodity infostealer ACR Stealer, which harvests credentials and browser data (T1566.002, T1059.001). [SINGLE-SOURCE] — reported by SANS ISC only at time of writing.

Why it matters to us: this is the demand-side mirror of the TrapDoor item above — attackers monetising trust in AI tooling, here against ordinary employees searching for an AI client rather than developers. Add Anthropic/Claude and other AI-brand impersonation to brand-abuse and malvertising monitoring; hunt for powershell.exe spawned from browser-download or archive-extraction paths (Sysmon EID 1 / Windows 4688, especially with -nop/-w hidden/-enc), PowerShell reading image files as code, and outbound connections from powershell.exe to newly-registered domains.

threat26 May 05:00Zsingle-sourceOpen finding ↗

2026-05-26 · view entry permalink →

HIGH

"TrapDoor" cross-ecosystem supply-chain campaign validates stolen tokens before exfil and poisons AI-assistant config files

Socket disclosed TrapDoor, a coordinated supply-chain campaign spanning 34+ malicious packages across 384+ versions published to npm, PyPI and Crates.io, with earliest activity on 2026-05-22 ~20:20 UTC; Socket reports a median detection latency of under six minutes after publish (Socket, 2026-05-24; The Hacker News, 2026-05-25). Each registry carries a distinct execution path: npm packages run a JavaScript credential harvester via a postinstall lifecycle hook (T1195.001, T1059.004); PyPI packages execute on import and pull a remote payload via node -e; Rust crates use build.rs scripts that XOR-encrypt local Sui/Solana/Aptos wallet keystores and exfiltrate them to GitHub Gists. The npm harvester validates stolen AWS and GitHub tokens against live APIs before flagging them — only working credentials are exfiltrated (T1552.001) — and establishes persistence via cron, systemd units, Git hooks and SSH-based lateral movement (T1053.003, T1021.004). The defining novelty is an AI-assistant targeting vector: the packages write hidden instructions into .cursorrules and CLAUDE.md using zero-width Unicode characters (U+200B family), so a developer reviewing the file sees clean text while Cursor or Claude Code parses an attacker "security scan" directive that triggers data exfiltration (T1195.002).

Why it matters to us: the targeting (crypto/DeFi/AI developer communities) is narrow, but the execution model is not — any CH/EU public-sector DevOps pipeline that installs from these registries is exposed, and the AI-config-poisoning vector is a fresh class of persistence that survives a clean-looking code review. Hunt for node/python/cargo build processes spawning sh/bash/node -e, package-manager process trees writing to ~/.cursorrules or CLAUDE.md (especially with zero-width code points U+200B/U+200C/U+FEFF present), unexpected systemd unit or crontab writes from build runners, and GitHub Gist POST from CI. Pin exact versions, verify lockfile hashes, and run installs with --ignore-scripts where feasible.

threat26 May 05:00Zmulti-sourceOpen finding ↗

Earlier coverage (2)