A newly identified malware campaign named **TrapDoor** has targeted developer ecosystems by distributing malicious packages across **npm**, **PyPI**, and **Crates.io**. This coordinated attack aims to steal developer secrets, particularly focusing on crypto and AI-related information, through compromised dependency installations. The campaign has deployed over **34 malicious packages** and **380 affected versions**.
The malware utilizes techniques such as **build.rs** execution in Rust and a shared payload in JavaScript to establish persistence on infected machines. This includes harvesting sensitive data like environment variables and crypto keys. Additionally, the campaign has implications for AI tools, as it modifies files that these tools might use, leading to potential code generation risks.
Defenders are advised to perform threat hunting for suspicious packages, check for tampering of AI instruction files, and review common persistence locations in developer environments to mitigate risks.