A coordinated software supply chain campaign is targeting developers across three package ecosystems simultaneously. Researchers at Socket have identified the operation, codenamed TrapDoor, which deployed 34 malicious packages across over 384 versions on npm, PyPI, and Crates.io beginning on May 22, 2026. The campaign steals crypto wallet keys, SSH credentials, and cloud access tokens — and introduces a novel technique: planting hidden instructions inside AI assistant configuration files to manipulate tools like Cursor and Claude Code into exfiltrating additional data.

Scope and Targeting

TrapDoor is not a spray-and-pray operation. The package names are specifically crafted to attract developers working in cryptocurrency, DeFi, Solana, and AI development — communities that handle high-value credentials and infrastructure access.

Sample package names include:

  • prompt-engineering-toolkit
  • solidity-deploy-guard
  • defi-threat-scanner

Each name is calibrated to sound like a useful tool for its target audience. A Solana developer searching for a deploy auditing library, a DeFi engineer looking for a threat detection module, or an AI developer grabbing a prompt utilities package would find these results plausible.

The campaign kicked off at 8:20 PM UTC on May 22, with packages appearing in waves across all three registries from a cluster of newly created accounts. The coordinated multi-registry approach is designed to maximize coverage and complicate takedown efforts — registries operate independently, so removing a package from npm does not automatically pull it from PyPI or Crates.io.

What TrapDoor Steals

The malicious packages target a broad range of high-value developer credentials:

  • Cryptocurrency wallet keystores — the encrypted files that hold private keys
  • SSH private keys — enabling lateral movement to any system the developer has authorized access to
  • Cloud credentials — AWS access keys, GCP service account tokens, Azure credentials
  • AI editor configurations — including API keys stored in tools like Cursor, Windsurf, and Claude Code

What distinguishes TrapDoor from simpler credential stealers is its active validation step. After harvesting tokens, the malware calls live AWS and GitHub APIs to confirm whether the stolen credentials are still valid. Invalid or expired tokens are filtered out before exfiltration. The attacker receives only working, high-value credentials — reducing noise and maximizing the operational value of the stolen data.

Socket detected TrapDoor releases in an average of 5 minutes and 56 seconds across 381 package-version records with complete timestamps. The speed of detection is notable, but also illustrates how quickly packages can accumulate downloads in the minutes before a malicious package is pulled.

The AI Assistant Poisoning Technique

The most novel aspect of TrapDoor is what it does to AI coding assistants. After a package is installed and the initial credential theft occurs, the malware plants two files in the developer’s project directory:

  • .cursorrules — used by the Cursor AI editor to customize assistant behavior
  • CLAUDE.md (or project-CLAUDE.md) — used by Anthropic’s Claude Code to load project-specific context and instructions

Both files are injected with zero-width Unicode characters — invisible characters that render as nothing in text editors but are interpreted as meaningful content by the AI system reading them. Embedded within these invisible characters are instructions directing the AI assistant to run additional “security scans” or “diagnostics” — routines that in practice exfiltrate data from the project context, including environment variables, API keys, and configuration files that the AI has access to.

The attack is clever because it exploits the trust relationship between a developer and their AI assistant. A developer who audits their .cursorrules or CLAUDE.md file visually sees nothing wrong. The injected instructions are invisible. But the AI reading those files acts on them, potentially exfiltrating data the developer never intended to share.

This represents a new frontier in supply chain attacks: not just stealing credentials at install time, but persistently manipulating the developer’s AI-assisted workflow to continue harvesting data over time.

Detection and Response

Socket flagged the packages with a median detection time of 5 minutes and 27 seconds — fast by any measure, but still enough time for early-adopter developers to install and run the packages.

Developers who installed any package from the TrapDoor cluster should:

  1. Immediately rotate all cloud credentials, SSH keys, and wallet keystores accessible from affected development machines
  2. Audit .cursorrules, CLAUDE.md, and any AI assistant configuration files for unexpected content — use a hex editor or Unicode viewer, not just a standard text editor, to reveal hidden characters
  3. Remove the malicious packages and any transitive dependencies they introduced
  4. Audit CI/CD pipeline secrets — developer machines that run pipelines may have exposed credentials used in automated deployments
  5. Check for new authorized devices or unexpected OAuth grants in AWS, GitHub, and other cloud platforms

A Pattern Accelerating

TrapDoor follows a string of multi-ecosystem supply chain attacks in 2026. The Megalodon GitHub CI/CD campaign compromised over 5,500 repositories in May. The Laravel-Lang supply chain attack hit Composer with 700 poisoned versions. The TeamPCP campaign targeted npm with copycat packages.

What TrapDoor adds to this landscape is the AI assistant poisoning vector — a technique that, to date, has not been documented in any prior supply chain campaign. As AI coding assistants become standard development infrastructure, and as they gain broader access to project contexts including environment variables and credentials, they become high-value targets for exactly this kind of persistent, invisible compromise.

The developer community should treat AI configuration files — .cursorrules, CLAUDE.md, .aider, Copilot workspace files — with the same skepticism they apply to any executable content introduced by a dependency.

Sources