SecurityDeveloper Tools

TrapDoor Supply Chain Attack: npm, PyPI, and Crates.io Hit (2026)

16 views0
Interconnected package boxes representing npm, PyPI, and Crates.io supply chain attack with a broken lock and warning symbol on dark blue background
TrapDoor malware targeted 34 packages across three major package registries in May 2026
ByteBotBy
Share

A coordinated supply chain campaign called TrapDoor hit npm, PyPI, and Crates.io simultaneously last week, planting 34 malicious packages across 384+ versions — and it carries a technique worth paying close attention to: the attacker used invisible Unicode characters to poison AI coding tool context files like CLAUDE.md and .cursorrules, turning your AI assistant into an unwitting credential exfiltrator.

The packages were discovered and reported by Socket.dev, with the earliest upload traced to May 22, 2026. The registries have removed the known packages, but if you installed any of them before the takedown, you have a cleanup job ahead.

The Part That Should Change How You Think About AI Config Files

TrapDoor’s most notable capability is not credential theft — that’s well-trodden ground. What’s new is how it establishes persistence: by poisoning .cursorrules and CLAUDE.md files with zero-width Unicode characters. A developer scanning those files sees a clean document. Cursor or Claude Code reads the underlying bytes and finds hidden instructions disguised as a “security scan” directive, which is actually a full data exfiltration routine.

The attacker didn’t stop there. They filed pull requests against major open source AI repos — langchain-ai/langchain, run-llama/llama_index, FoundationAgents/MetaGPT, OpenHands/OpenHands, and langflow-ai/langflow — with titles like “docs: add .cursorrules with dev standards and build verification.” The goal was to get poisoned context files merged upstream and served to every contributor who cloned those repos.

If that approach had succeeded at scale, AI coding agents on those projects would have been silently exfiltrating credentials from developer machines during normal workflows. That’s the threat model security researchers have been warning about for two years. TrapDoor is the first campaign to execute it at this scope in the wild.

How TrapDoor Executes Across Three Ecosystems

Each registry gets a tailored execution method that exploits the ecosystem’s own conventions:

  • npm: A postinstall hook fires trap-core.js, a 1,149-line credential harvester. It validates stolen AWS and GitHub tokens via live API calls before exfiltrating — only active credentials get flagged, which increases stealth.
  • PyPI: Packages auto-execute on import, fetching a remote JavaScript payload via node -e from the attacker’s GitHub Pages domain. This lets the attacker update malware behavior post-publication without a new package release — a detection-evasion step most supply chain attacks skip.
  • Crates.io: The malicious build.rs runs automatically during cargo build. It locates local keystores, XOR-encrypts them with the hardcoded key cargo-build-helper-2026, and exfiltrates the result to GitHub Gists.

Socket detected TrapDoor packages in a median time of 5 minutes and 27 seconds. Impressive — but your npm install completes long before that.

What TrapDoor Targets

The campaign targeted crypto and AI developer environments specifically: SSH keys, Sui/Solana/Aptos wallet keystores, AWS credentials, GitHub tokens, browser login databases, crypto wallet extension data, and environment variables. The package names were chosen to blend into those project types: token-usage-tracker, prompt-engineering-toolkit, and llm-context-compressor on npm; eth-security-auditor and defi-risk-scanner on PyPI; sui-move-build-helper and move-compiler-tools on Crates.io.

Check Your Environment Now

If you work on crypto, AI tooling, or Solana/Sui projects, run these checks:

# Detect hidden Unicode in AI context files
cat -v .cursorrules CLAUDE.md AGENTS.md 2>/dev/null

# Check for TrapDoor npm packages
npm ls 2>/dev/null | grep -E "wallet-security-checker|defi-threat-scanner|token-usage-tracker|prompt-engineering-toolkit|llm-context-compressor"

# Check for TrapDoor PyPI packages
pip list 2>/dev/null | grep -E "eth-security-auditor|cryptowallet-safety|defi-risk-scanner"

The cat -v command will surface non-printing characters. If you see anything unexpected in those files, treat the machine as compromised. Rotate AWS credentials, GitHub tokens, and SSH keys regardless of what those scans show if you installed any TrapDoor package in the past week.

The Wider Picture

2026 has been relentless for supply chain: TeamPCP poisoned GitHub via a VS Code extension, the TanStack/Mistral attack hit 170+ packages with a self-propagating worm, The Hacker News reported on TrapDoor joining that wave. JFrog’s annual report put supply chain attacks up 451% year-over-year. TrapDoor is different because it attacks three registries in parallel and weaponizes AI coding tools that developers run locally around the clock.

The attack surface shifted when developers started using AI agents with persistent context files. CLAUDE.md, .cursorrules, and AGENTS.md were designed for productivity — but they’re files that AI tools read and act on automatically, making them high-value injection targets. SOCRadar’s analysis puts it plainly: these files should now be audited like you’d audit a Dockerfile or a CI pipeline config, because the threat model is the same.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:Security