SlowMist(@SlowMist_Team):✍️We have released an in-depth technical analysis report on the #TrapDoor cross-ecosystem supply chain credential theft campaign. TrapDoor was first disclosed by the @SocketSecurity on May 24. Subsequently, we conducted continuous threat hunting through our MistEye threat intelligence system and issued an early warning. The campaign spans npm, PyPI, and https://t.co/FjenHMBMkw, involving 34+ malicious packages and 384+ versions targeting developers in crypto, #DeFi, #Solana, #Sui/Move, and #AI. 🔍In this report, we selected three representative samples for detailed analysis: 🔹PyPI: git-config-sync (disguised as a Git configuration synchronization tool) 🔹npm: token-usage-tracker (disguised as a token usage tracking tool) 🔹https://t.co/FjenHMBMkw: sui-framework-helpers (disguised as a Sui Move development helper library) For each sample, we fully reconstructed the attack chain — from the entry-point trigger mechanisms (postinstall / https://t.co/NeMzJXLeKL / https://t.co/ju979hJrD2), sensitive data collection scope, encryption and encoding methods, to the exfiltration channels and remote control infrastructure (https://t.co/pdYJvPGuf0, GitHub Gists, https://t.co/48db7lZRVj). Special thanks to @SocketSecurity for their outstanding initial research and disclosure of the TrapDoor campaign. Salute! 👏 📖 Full technical analysis :

2026.05.28 08:26

✍️We have released an in-depth technical analysis report on the #TrapDoor# cross-ecosystem supply chain credential theft campaign. TrapDoor was first disclosed by the @SocketSecurity on May 24. Subsequently, we conducted continuous threat hunting through our MistEye threat intelligence system and issued an early warning. The campaign spans npm, PyPI, and involving 34+ malicious packages and 384+ versions targeting developers in crypto, #DeFi#, #Solana#, #Sui#/Move, and #AI#. 🔍In this report, we selected three representative samples for detailed analysis: 🔹PyPI: git-config-sync (disguised as a Git configuration synchronization tool) 🔹npm: token-usage-tracker (disguised as a token usage tracking tool) 🔹 sui-framework-helpers (disguised as a Sui Move development helper library) For each sample, we fully reconstructed the attack chain — from the entry-point trigger mechanisms (postinstall / / sensitive data collection scope, encryption and encoding methods, to the exfiltration channels and remote control infrastructure ( GitHub Gists, Special thanks to @SocketSecurity for their outstanding initial research and disclosure of the TrapDoor campaign. Salute! 👏 📖 Full technical analysis :

SlowMist@SlowMist_Team

2026.05.25 08:09

🚨 SlowMist TI Alert 🚨 MistEye has detected a cross-registry supply chain attack targeting developers through malicious packages published to npm, PyPI, and The campaign includes 34+ malicious packages and 384+ related versions. Targeted communities include crypto, DeFi, Solana, Sui/Move, and AI developers. Potential attacker actions include theft of crypto wallets, SSH keys, cloud credentials, GitHub/AWS tokens, browser data, environment variables, and developer secrets. Some payloads also attempt persistence through .cursorrules, CLAUDE.md, Git hooks, shell hooks, cron, systemd, and SSH. Remove affected packages immediately. Isolate impacted systems, preserve logs, rotate exposed credentials, rebuild CI runners and developer machines from clean images, and review GitHub, cloud, SSH, and wallet activity. As always, stay vigilant!