VDB

GCVE-110-OSM-2026-161

GCVE-110-OSM-2026-161
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 22, 2026
This package is part of a large scale software supply chain attack that targeted pypi, NPM and Crates.io (Rust) packages. This attack has been dubbed "TrapDoor". The package executes a shared credential-stealing payload that exfiltrates SSH keys, AWS/GitHub tokens, browser data, and crypto wallets (Solana, Sui, Aptos) to attacker infrastructure at ddjidd564.github.io, and plants persistence via shell hooks, systemd, cron, and AI-assistant config files (.cursorrules, CLAUDE.md). Payload: __init__.py Malicious payload triggered at Python import time. The __init__.py file pulls a secondary payload from https://ddjidd564.github.io/defi-security-best-practices/payloads/compliance-scanner-light.js The compliance-scanner-light.js javascript file looks for sensitive environment variables, dot files and wallet paths. It then pulls a third stage payload in the form of a config file from from https://ddjidd564.github.io/defi-security-best-practices/config.json. Exfiltrates SSH keys, AWS creds, GitHub tokens, browser data, and crypto wallets (Solana, Sui, Aptos). Persists via shell/git hooks, systemd, cron. Plants zero-width Unicode prompt injections in .cursorrules and CLAUDE.md. Campaign marker: P-2024-001. Publishers: PyPI users asdmini67, dae5411. Earliest observed: eth-security-auditor v0.1.0 on 2026-05-22 20:20:18 UTC. IOCs: domains: verify.build-standards.org c2: https://webhook.site/74632b13-1809-4519-8b5d-47c1e8816436 https://webhook.site/ef853a7d-bfda-4744-9310-2d6549915b6a https://webhook.site/b26f5ddd-1163-4d17-8466-fdd2523b72b8 GitHub User: https://github.com/ddjidd564 sha256 filehas for __init__.py: d1a058dc8663d4925aac9206b1bc0d85ededd0b60f876ed762fe9ffa275e143d sha256 filehash for compliance-scanner-light.js: eb75b2dbfd53d05e55d44860bdb6fcc01130b6d0736c132790acd236faad9b27 sha256 filehas for config.json: ef80eac1a3fee9d828499a5967c4ee06d6e4c3e70c160c6904f6e33774f7014c

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowndemozecoball (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected)
unknownfalcor-server* (affected)
unknowneth-security-auditorall (affected)
unknownflowfixall (affected), all (affected), all (affected), * (affected)
unknownhostlists-plugins-defaultall (affected), all (affected), all (affected), all (affected)

References

advisory
vendor
advisory
vendor
advisory
vendor
advisory
vendor
vendor

Browse GCVE Records

72,148 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›