June 20, 2026

TrapDoor: 34 packages went bad overnight — and a 3-day rule would have stopped them

In late May 2026, security researchers disclosed a supply-chain campaign that came to be known as TrapDoor. More than 34 malicious packages went up across PyPI, npm and Crates.io at roughly the same time. They were not broken or buggy — they were built to run hostile code the moment they were installed or imported, scraping SSH keys and credentials off the machine and sending them to the attackers (reported by The Hacker News, 25 May 2026).