Green digital characters cascading down a dark screen resembling the Matrix code effect

TL;DR:

  • What happened: A coordinated supply chain attack called TrapDoor planted 34 malicious packages across npm, PyPI, and Crates.io starting May 22, 2026. The packages target developers working in crypto, DeFi, and AI. [1][2]
  • The new trick: The malware plants invisible instructions (hidden with zero-width Unicode characters) inside .cursorrules and CLAUDE.md project files. When AI coding assistants like Claude Code or Cursor read those files, they execute a fake “security scan” that silently steals credentials. [1][3]
  • What gets stolen: SSH keys, AWS credentials, GitHub tokens, crypto wallets (Sui, Solana, Aptos), browser login data, environment variables, and API keys. The payload also attempts lateral movement via SSH. [1][2]
  • They went after the big repos too: The attackers filed pull requests against LangChain, LlamaIndex, MetaGPT, OpenHands, and Langflow, disguising poisoned files as “docs: add .cursorrules with dev standards.” If merged, every developer who cloned those projects would inherit the attack. [1][3]
  • How it was caught: Socket detected the campaign with a median response time of 5 minutes 27 seconds. Traditional CVE scanners missed it entirely. [1]

Your AI Assistant Trusts Project Files. Attackers Know That.

Here’s how AI coding assistants work: they read configuration files in your project directory to understand context. Files like .cursorrules (for Cursor) and CLAUDE.md (for Claude Code) tell the AI how to behave: what coding standards to follow, what frameworks you use, how to structure responses.

Developers rarely inspect these files character by character. Why would they? They look like documentation.

TrapDoor exploits that trust. The attack embeds hidden instructions using zero-width Unicode characters, specifically U+200B (zero-width space), U+200C (zero-width non-joiner), U+200D (zero-width joiner), and U+FEFF (byte order mark). These characters are completely invisible in every standard text editor. They render as nothing. But AI assistants parse the full Unicode stream and act on what they find. [1][3]

What they find: instructions to run a “security scan” that harvests every credential on your machine and sends it to an attacker-controlled endpoint.

Open the poisoned file in VS Code, Vim, or any editor. It looks normal: maybe some project setup notes, some coding guidelines. Your AI assistant reads the same file and sees a completely different set of orders.

The Kill Chain

TrapDoor operates in stages, and it’s built differently for each ecosystem it targets. [1][2]

Stage 1: The package. You install what looks like a legitimate development tool. Names like prompt-engineering-toolkit, solidity-deploy-guard, defi-threat-scanner, wallet-security-checker. They sound like things a developer would actually search for.

Stage 2: Ecosystem-specific execution.

  • npm: A postinstall hook drops trap-core.js, a 48,485-byte payload that scans for credentials, validates AWS and GitHub tokens via live API calls, and attempts SSH-based lateral movement to other machines on your network. [1]
  • PyPI: The package auto-executes on import. It downloads JavaScript from the attacker’s GitHub Pages site (ddjidd564.github.io) and runs it via node -e. Remote payload means the attacker can update the attack after you’ve already installed the package. [1]
  • Crates.io: Rust’s build.rs scripts execute during compilation. The malware searches local keystores, encrypts the data with a hardcoded XOR key (cargo-build-helper-2026), and exfiltrates to GitHub Gists. [1]

Stage 3: Persistence and AI poisoning. The malware installs itself everywhere: cron jobs, systemd services, Git hooks, shell hooks. And it plants the poisoned .cursorrules and CLAUDE.md files so your AI assistant becomes a long-term credential harvester even after the original package is removed. [1][3]

The 34 Packages

Socket identified malicious packages across all three ecosystems, published from clustered accounts in rapid waves starting May 22, 2026. Across 384+ versions. [1]

npm (21 packages): async-pipeline-builder, build-scripts-utils, chain-key-validator, crypto-credential-scanner, defi-env-auditor, defi-threat-scanner, deployment-key-auditor, dev-env-bootstrapper, eth-wallet-sentinel, llm-context-compressor, mnemonic-safety-check, model-switch-router, node-setup-helpers, project-init-tools, prompt-engineering-toolkit, solidity-deploy-guard, token-usage-tracker, wallet-backup-verifier, wallet-security-checker, web3-secrets-detector, workspace-config-loader.

PyPI (7 packages): cryptowallet-safety, data-pipeline-check, defi-risk-scanner, env-loader-cli, eth-security-auditor, git-config-sync, solidity-build-guard.

Crates.io (6 packages): move-analyzer-build, move-compiler-tools, move-project-builder, sui-framework-helpers, sui-move-build-helper, sui-sdk-build-utils.

Notice the naming pattern. Every package sounds like something a developer would trust: security tools, build utilities, deployment helpers. The Crates.io packages specifically target developers working with Sui and Move, a blockchain ecosystem where wallet keys are high-value targets.

They Tried to Poison the Big Projects

The package uploads were only half the campaign. The attacker (operating from GitHub account ddjidd564) also filed pull requests against some of the most popular AI and developer tool repositories: [1][3]

  • LangChain: the most widely-used AI application framework
  • LlamaIndex: a leading AI data framework
  • MetaGPT: an AI agent framework
  • OpenHands: an AI coding agent platform
  • Langflow: a visual AI workflow builder
  • browser-use: an AI browser automation tool

The PRs proposed adding .cursorrules or CLAUDE.md files under innocent titles like “docs: add .cursorrules with dev standards and build verification.” A maintainer doing a quick review would see a documentation file with coding guidelines. The zero-width characters carrying the actual payload would be invisible. [1][3]

If any of those PRs had been merged, every developer who cloned the project would have a weaponized AI assistant: one that looks normal but quietly exfiltrates secrets every time it “helps” with code.

None of these PRs were merged. But the attack vector is now public knowledge, and copy-cats are inevitable.

Traditional Scanners Missed Everything

Here’s the part that should worry security teams: zero CVE alerts. No advisories. Traditional vulnerability scanners didn’t flag a single one of these packages. [1]

That’s because CVE-based scanning looks for known vulnerabilities in known packages. TrapDoor created new packages with new names. There was nothing in the database to match against. The malware didn’t exploit a vulnerability in npm or PyPI. It exploited the trust developers place in package names that sound legitimate.

Socket caught the campaign using behavioral analysis, looking at what packages actually do after installation rather than checking them against a list of known-bad signatures. Their median detection time was 5 minutes and 27 seconds across 381 package versions. The fastest detection was 58 seconds. [1]

But behavioral analysis tools aren’t standard. Most development teams still rely on npm audit or pip audit, tools that only catch what’s already been reported. Against TrapDoor, they reported nothing.

Why This Changes the Threat Model

Supply chain attacks aren’t new. Typosquatting isn’t new. But weaponizing AI coding assistants as an exfiltration channel? That’s new.

Think about what TrapDoor demonstrates:

  • AI assistants are a new attack surface. Every project with a .cursorrules or CLAUDE.md file is a potential poisoning target. These files exist in thousands of repositories.
  • Invisible payloads bypass code review. Zero-width Unicode characters can’t be seen in normal editors. A careful human reviewer would miss them. An AI-powered code review tool would parse them, and potentially execute them.
  • The AI becomes the weapon. The developer doesn’t run malware. The developer doesn’t click a phishing link. The developer’s own AI assistant, the tool they trust to write and review code, does the exfiltration.
  • Persistence survives package removal. Even if you uninstall the malicious package, the poisoned project files and the cron jobs, systemd services, and Git hooks remain. The AI assistant keeps harvesting credentials from the planted configuration files.

This is the trust model problem: AI assistants are designed to be helpful, to follow project-level instructions, to act on what they read. TrapDoor uses that design against developers.

What Developers Should Do Right Now

  • Audit your project files for hidden Unicode. Run this in any project directory:
    grep -rP '[\x200B\x200C\x200D\xFEFF]' . --include='.cursorrules' --include='*.md'
    If it returns anything, those files contain zero-width characters that shouldn’t be there. [3]
  • Check who authored your AI config files. If your project has a .cursorrules or CLAUDE.md that no one on your team wrote, treat it as suspicious. Run git log --follow on the file to see when it was added and by whom.
  • Review recent PRs for documentation-only changes. The TrapDoor PRs were disguised as documentation updates. Look for PRs from unfamiliar accounts that add or modify AI configuration files.
  • Use behavioral package scanning. Tools like Socket analyze what packages actually do after installation. Traditional npm audit / pip audit only catch known-bad packages, so they’ll miss new ones like TrapDoor.
  • Check for unexpected persistence. Look for unfamiliar cron jobs (crontab -l), systemd services, Git hooks in .git/hooks/, and shell profile modifications (.bashrc, .zshrc).
  • Rotate credentials if you installed any listed package. If you used any of the 34 packages above, assume your AWS keys, GitHub tokens, SSH keys, and crypto wallets are compromised. Rotate everything immediately.

This is the first known coordinated attack targeting AI coding assistants as an exfiltration channel. It won’t be the last.

Sources

  1. Socket: TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages Across npm, PyPI, and Crates.io (May 2026)
  2. The Hacker News: TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and Crates.io (May 2026)
  3. Phoenix Security: TrapDoor Supply Chain Campaign: AI Assistant Poisoning via npm, PyPI, and Crates.io (May 2026)