By ByteBot
A new supply chain campaign called TrapDoor has deployed 34 malicious packages across npm, PyPI, and Crates.io since May 22, 2026 — and the credential theft is not even the most alarming part. The headline is how it steals: by injecting hidden instructions into the configuration files your AI coding assistant reads, then sitting back while Claude Code or Cursor runs what it believes is a routine security scan and quietly hands over your AWS keys, GitHub tokens, SSH keys, and crypto wallets.
What TrapDoor Is
TrapDoor is a coordinated cross-ecosystem attack spanning 34 malicious packages across 384 versions, detected by Socket’s security team with a median response time of just 5 minutes and 27 seconds. Despite that speed, the packages were found in over 35,000 public and private repositories before containment. The campaign targets developers in crypto, DeFi, Solana, and AI communities — but the risk extends to anyone who runs npm install or pip install and has an AI coding assistant active in their editor.
Packages were designed to look legitimate: eth-security-auditor, prompt-engineering-toolkit, defi-threat-scanner, dev-env-bootstrapper. The names are plausible enough to pass a casual glance in a package.json.
The Postinstall Hook: Where It Starts
On npm — where 21 of the 34 packages live — the attack fires the moment you run npm install. A postinstall hook in the package’s package.json automatically executes trap-core.js: a 1,149-line, 48,485-byte credential harvester. You don’t double-click anything. You don’t run a suspicious script. You install a package, and the damage begins.
PyPI packages take a different approach: they execute at import time and download a JavaScript payload from attacker-controlled GitHub Pages infrastructure. This remote-fetch design lets the attacker update the payload server-side without republishing — a deliberate countermeasure against static analysis tools that inspect package contents at publish time.
Crates.io packages use Rust’s build.rs scripts, which run at compile time. These specifically hunt Sui and Move keystores, encrypt stolen data with a hardcoded XOR key (cargo-build-helper-2026), and exfiltrate to GitHub Gists.
The AI Poisoning Layer
Here is where TrapDoor departs from every supply chain attack that came before it.
After the credential harvester installs, the shared npm payload drops two files into your project root: .cursorrules and CLAUDE.md. These are the configuration files that Cursor and Claude Code read to understand your project context. Developers write them. AI assistants trust them.
The files look blank — or routine — in any standard text editor. What editors don’t render are the zero-width Unicode characters threaded through the content: U+200B (zero-width space), U+200C (zero-width non-joiner), U+200D (zero-width joiner), U+FEFF (zero-width no-break space). These characters are invisible to human reviewers but fully legible to the language model parsing the Unicode stream. According to Phoenix Security’s analysis, “content appears blank or benign in any standard text editor. The AI assistant parses the full Unicode stream and acts on the hidden instructions.”
When you open the project in Claude Code or Cursor, the AI reads those files — as it is designed to do — interprets the hidden commands as legitimate project directives, and executes what it’s told: a “security scan.” That scan harvests credentials. The developer never typed a suspicious command. Their AI did it for them.
The attacker (operating as GitHub account ddjidd564) also submitted pull requests containing poisoned config files to LangChain, LlamaIndex, MetaGPT, OpenHands, and Langflow — filed under titles like “docs: add .cursorrules with dev standards and build verification.” A merged PR would have exposed every developer who subsequently cloned those repositories and opened them in an AI-assisted editor.
What Gets Stolen
As The Hacker News reports, trap-core.js targets a wide credential surface: AWS credentials from ~/.aws/credentials and environment variables, GitHub personal access tokens, SSH private keys, Sui and Solana and Aptos wallet keystores, MetaMask and Phantom browser extension data, CI/CD secrets, and .env files. Before transmitting anything, the payload makes live calls to AWS and GitHub API endpoints to validate each credential. Only verified, working credentials get exfiltrated — the attacker receives a confirmed dataset with no dead keys.
Detect and Protect
TrapDoor carries no CVE. Traditional vulnerability scanners are blind to this campaign — detection requires behavioral analysis, not signature matching. Start with a manual check of your AI config files:
grep -rP '[\u200B\u200C\u200D\uFEFF]' . --include='.cursorrules' --include='*.md'Block postinstall hooks in npm and build-time execution in PyPI at the install step:
npm ci --ignore-scripts
pip install --no-build-isolationIf any of the 34 flagged packages appear in your lockfiles, treat your credentials as compromised and rotate immediately: AWS keys, GitHub tokens, SSH keys. Audit your Git history for unexpected additions to .cursorrules or CLAUDE.md — these files should not appear in a project unless you added them.
For CI/CD pipelines, SecurityToday’s 30-day hardening plan prioritizes: egress filtering on runners first (cut the exfiltration channel even if code executes), then enforcing --ignore-scripts across all build steps, then migrating from long-lived service tokens to ephemeral OIDC federation credentials, and finally adding pre-commit hooks that reject commits containing zero-width Unicode in config files.
The Threat Model Has Changed
Supply chain attacks have always exploited developer trust in third-party code. TrapDoor extends that to developer trust in their own tools. When your AI coding assistant becomes the exfiltration vector, the question is no longer just “is this package safe?” It becomes “is every file my AI reads safe?”
That is a harder question to answer — and TrapDoor is counting on it.
