Researchers disclosed multiple software supply chain attacks that abused trusted package and plugin distribution paths to steal secrets and execute attacker code. SlowMist detailed the TrapDoor operation, which spread through more than 34 malicious packages and 384 versions across npm, PyPI, and Crates.io, using postinstall hooks, Python import-time execution, and Rust build.rs scripts to harvest credentials, cloud secrets, browser data, and cryptocurrency wallet files. The npm branch added encrypted exfiltration, arbitrary command execution, Git hook injection, shell persistence, and poisoning of AI-assistant context files such as .cursorrules and CLAUDE.md, while infrastructure on GitHub Pages, raw.githubusercontent.com, api.github.com, and webhook.site helped the traffic blend into normal developer activity.
A separate SlowMist investigation found that legitimate npm package node-ipc was compromised through malicious releases 9.1.6, 9.2.3, and 12.0.1, which appended obfuscated code to node-ipc.cjs and exfiltrated AWS credentials, SSH keys, environment variables, and host data over fragmented DNS queries after applications loaded the package with require("node-ipc"). In parallel, ToolJet disclosed a critical instance-wide remote code execution flaw in ToolJet 3.x that let any authenticated builder overwrite a globally shared marketplace plugin with attacker-controlled JavaScript, causing server-side execution whenever other users ran queries through the poisoned plugin; the advisory cited weak authorization, shared plugin records, unsafe vm.runInNewContext() exposure of require and process, and missing integrity checks for plugin code fetched from GitHub.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
A GitHub security advisory disclosed a critical ToolJet 3.x vulnerability that lets any authenticated builder overwrite a globally shared marketplace plugin with attacker-controlled JavaScript, leading to instance-wide server-side remote code execution. The advisory documented the authorization flaw, unsafe execution path, and a proof of concept for plugin poisoning and query-triggered execution.
SlowMist published an analysis of the TrapDoor campaign, linking Python and npm samples through shared infrastructure and detailing credential theft, persistence, AI context poisoning, and exfiltration techniques. The report also examined a Rust package that stole wallet files during compilation, though SlowMist said its linkage to the broader cluster was not independently verified at code level.
The TrapDoor cross-ecosystem supply chain operation was first disclosed by Socket.dev on May 24, 2026. The campaign involved more than 34 malicious packages and 384 published versions across npm, PyPI, and Crates.io.
SlowMist identified three malicious node-ipc releases—9.1.6, 9.2.3, and 12.0.1—published on May 14, 2026. The poisoned versions appended obfuscated code to the CommonJS entry file to steal credentials and exfiltrate data via fragmented DNS queries.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
slowmist.medium.com
Open sourceslowmist.medium.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.