TrapDoor Supply Chain Attack: How Malicious npm Packages Hijack AI Coding Assistants

On May 22, 2026, a PyPI package named eth-security-auditor was uploaded at 20:20:18 UTC. It looked harmless enough—a generic security helper for Ethereum developers. But inside was the first visible signal of TrapDoor, a coordinated, cross-ecosystem supply chain campaign that has since deployed more than 34 malicious packages across npm, PyPI, and Crates.io, spanning 384+ versions. This TrapDoor supply chain attack represents one of the most sophisticated threats to AI-assisted development workflows documented to date.

TrapDoor is a credential thief. It hunts AWS keys, GitHub tokens, SSH keys, browser profiles, environment variables, and cryptocurrency wallets. But calling it “just” a credential stealer misses the bigger picture. What makes TrapDoor genuinely alarming is how it steals: by poisoning the configuration files that AI coding assistants like Claude Code and Cursor read automatically, then tricking those assistants into running “security scans” that quietly exfiltrate your secrets.

This is one of the first documented cases where the AI assistant itself—not just the code it generates—becomes the direct attack vector. And if you use AI tools in your development workflow, the TrapDoor supply chain attack is a wake-up call you can’t ignore.

How the TrapDoor Supply Chain Attack Works: From package.json to Exfiltration

TrapDoor’s mechanics are clever precisely because they exploit trust in familiar workflows. Here’s how a typical infection chain unfolds.

Step 1: The Trojan Package

The campaign spreads through packages with innocuous, developer-friendly names. On npm, you might encounter dev-env-bootstrapper, wallet-security-checker, or prompt-engineering-toolkit. On PyPI, names like eth-security-auditor and defi-risk-scanner blend into legitimate tooling. On Crates.io, the attacker targeted Rust developers with packages like sui-move-build-helper and move-compiler-tools.

These packages install through completely normal commands:

1
2
3

npm install wallet-security-checker
pip install eth-security-auditor
cargo add sui-move-build-helper

Step 2: Ecosystem-Specific Execution

Once installed, the malware executes through platform-specific mechanisms:

• npm: Postinstall hooks trigger a shared 1,149-line payload called trap-core.js (48,485 bytes). The script scans your filesystem for credentials, validates stolen AWS and GitHub tokens via live API calls, and plants persistence mechanisms.
• PyPI: Packages auto-execute on import, download remote JavaScript from the attacker-controlled GitHub Pages domain, and run it via node -e. This lets the attacker update behavior without publishing a new PyPI release.
• Crates.io: Malicious build.rs scripts run automatically during compilation, encrypt discovered keystores with a hardcoded XOR key (cargo-build-helper-2026), and exfiltrate them to GitHub Gists.

Step 3: The AI Injection — Config File Injection Attack

Here’s where TrapDoor diverges from every supply chain attack you’ve seen before.

The npm payload plants hidden instructions inside .cursorrules and CLAUDE.md files—configuration files that Cursor and Claude Code automatically ingest as project context. But these aren’t ordinary instructions. The attacker embeds zero-width Unicode characters (U+200B, U+200C, U+200D, U+FEFF) to hide malicious directives inside what appears to be benign configuration text.

To the human eye, the file looks like normal project standards. To the AI assistant parsing it, the hidden instructions read as legitimate system directives. The result? The AI is socially engineered into executing a “security audit” or “build verification” that actually scans for secrets and ships them to attacker-controlled infrastructure.

This config file injection attack technique is particularly dangerous because it bypasses traditional malware detection. Standard editors, cat, and even GitHub‘s web interface render these files as harmless text. GitHub actually flagged some of the attacker’s PRs as containing “hidden or bidirectional Unicode text,” but that warning is easy to miss—or dismiss as a false positive—during code review.

Step 4: Persistence and Propagation

TrapDoor doesn’t stop at one-time theft. The payload establishes persistence through multiple vectors:

• .cursorrules and CLAUDE.md files (poisoning future AI sessions)
• Git hooks and shell hooks
• systemd services and cron jobs
• SSH-based lateral movement using stolen keys

A compromised developer machine becomes a bridge into team infrastructure, CI/CD pipelines, and production environments.

What’s Being Stolen: AWS Keys, GitHub Tokens, and Crypto Wallets

According to Socket‘s analysis, the malware is designed to collect:

• SSH keys (~/.ssh/id_rsa, ~/.ssh/id_ed25519, and related files)
• Cloud credentials (AWS access keys and session tokens)
• GitHub tokens (personal access tokens and repository credentials)
• Cryptocurrency wallets (Sui, Solana, and Aptos wallet data, including mnemonic phrases)
• Browser data (login databases, wallet extension data, and browser profiles)
• Environment variables and local configuration files
• API keys found in common development paths

The attacker validates stolen AWS and GitHub credentials in real time using API calls. This isn’t spray-and-hope exfiltration—it’s targeted filtering to identify high-value credentials that actually work.

For crypto and DeFi developers, the impact is immediate and financial. For infrastructure engineers, stolen AWS keys and SSH access can cascade into cloud account takeovers and supply chain compromises of their own. And for open-source maintainers, a stolen GitHub token can mean malicious commits, poisoned releases, and downstream attacks on every project that depends on yours.

AI Coding Assistant Vulnerability 2026: Why This Attack Is Different

We’ve spent years worrying that AI coding assistants might generate buggy or insecure code. The TrapDoor supply chain attack flips that concern on its head.

From “AI Generates Bad Code” to “AI Is Manipulated Into Bad Actions”

Traditional supply chain attacks rely on executing malicious code: a postinstall script runs, a binary drops a payload, a build script exfiltrates data. TrapDoor does some of that too, but its signature innovation is AI prompt injection via configuration files.

The attacker understood something fundamental about modern development: Claude Code and Cursor are designed to read project context aggressively. They scan .cursorrules, CLAUDE.md, README.md, and other configuration files to “understand” your codebase and provide better assistance. That helpful behavior becomes a liability when those files contain invisible instructions.

The hidden Unicode technique is particularly insidious. Standard editors, cat, and even GitHub‘s web interface render these files as harmless text. GitHub actually flagged some of the attacker’s PRs as containing “hidden or bidirectional Unicode text,” but that warning is easy to miss—or dismiss as a false positive—during code review.

The Attacker’s Playbook

The campaign’s infrastructure reveals deliberate experimentation with AI manipulation. The attacker-hosted GitHub Pages repository contains an AUDIT-MATRIX.md document describing a “Universal AI Agent Extraction Framework.” It outlines staged workflows for capability detection, data extraction, self-replication fallback, and telemetry reporting.

The document explicitly maps credential theft behaviors to benign-sounding tasks:

• Stealing AWS keys → “cloud configuration validation”
• Harvesting GitHub tokens → “repository security review”
• Exfiltrating wallet data → “wallet safety check”
• Lateral movement → “connection status check”

This is social engineering at scale, automated and targeted at AI systems rather than human operators.

Claude Code Supply Chain Attack and Cursor IDE Security Vulnerability

The TrapDoor supply chain attack specifically exploits the Claude Code supply chain attack surface and the Cursor IDE security vulnerability around automatic context ingestion. Both tools are engineered to be helpful by reading every configuration file they can find. TrapDoor weaponizes that helpfulness.

When Claude Code encounters a CLAUDE.md file or Cursor reads .cursorrules, neither tool currently warns the user that hidden Unicode directives may be present. The AI assistant simply follows the instructions it perceives as legitimate project context. This makes both the Claude Code supply chain attack vector and the broader Cursor IDE security vulnerability particularly difficult to defend against without external tooling.

Security researchers have noted that this is the first widespread campaign where the target is not the developer’s runtime environment alone, but the AI assistant itself. By hijacking the assistant, the attacker gains a trusted insider that can execute commands, read files, and exfiltrate data while appearing to perform legitimate development tasks.

How to Protect Yourself and Your Team

TrapDoor is active, cross-ecosystem, and specifically designed for the AI-assisted development era. Here’s what to do right now.

Immediate Actions

1. Audit your dependencies

Check whether any of the known malicious packages have been installed in your projects. The full list includes names like:

1
2
3
4
5
6
7

async-pipeline-builder, build-scripts-utils, chain-key-validator,
crypto-credential-scanner, defi-env-auditor, defi-threat-scanner,
deployment-key-auditor, dev-env-bootstrapper, eth-wallet-sentinel,
llm-context-compressor, mnemonic-safety-check, model-switch-router,
node-setup-helpers, project-init-tools, prompt-engineering-toolkit,
solidity-deploy-guard, token-usage-tracker, wallet-backup-verifier,
wallet-security-checker, web3-secrets-detector, workspace-config-loader

On PyPI: cryptowallet-safety, data-pipeline-check, defi-risk-scanner, env-loader-cli, eth-security-auditor, git-config-sync, solidity-build-guard.

On Crates.io: move-analyzer-build, move-compiler-tools, move-project-builder, sui-framework-helpers, sui-move-build-helper, sui-sdk-build-utils.

Run these commands to check:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

# npm
npm ls async-pipeline-builder build-scripts-utils chain-key-validator \
  crypto-credential-scanner defi-env-auditor defi-threat-scanner \
  deployment-key-auditor dev-env-bootstrapper eth-wallet-sentinel \
  llm-context-compressor mnemonic-safety-check model-switch-router \
  node-setup-helpers project-init-tools prompt-engineering-toolkit \
  solidity-deploy-guard token-usage-tracker wallet-backup-verifier \
  wallet-security-checker web3-secrets-detector workspace-config-loader

# Python
pip list | grep -E "cryptowallet-safety|data-pipeline-check|defi-risk-scanner|env-loader-cli|eth-security-auditor|git-config-sync|solidity-build-guard"

# Rust
cargo tree | grep -E "move-analyzer-build|move-compiler-tools|move-project-builder|sui-framework-helpers|sui-move-build-helper|sui-sdk-build-utils"

2. Audit config files in your repositories

Search for .cursorrules, CLAUDE.md, and similar AI assistant configuration files. If you didn’t create them intentionally, investigate immediately. Look for hidden Unicode using:

1
2

cat -v .cursorrules
cat -v CLAUDE.md

Or use tools like unicode-scanner to detect zero-width characters.

3. Check for persistence mechanisms

Review Git hooks (.git/hooks/), shell startup files (~/.bashrc, ~/.zshrc), cron jobs (crontab -l), and systemd user services for unexpected entries.

Registry-Level Protections

• Socket.dev: Socket detected TrapDoor packages with a median time of 5 minutes and 27 seconds after publication—the fastest detection was just 58 seconds. Their behavioral analysis connects cross-registry activity that single-registry scanners miss.
• Snyk and GitHub Dependabot: Enable automated vulnerability scanning on all repositories.
• npm audit, pip-audit, cargo audit: Run regularly, but understand their limitations against zero-day malicious packages.

AI Assistant Hygiene

• Disable auto-execution: Configure Claude Code, Cursor, and similar tools to require confirmation before running shell commands or file operations.
• Review before acting: When an AI assistant suggests a “security scan” or “build verification,” pause and verify what commands it plans to run.
• Sandbox AI tools: Run AI assistants in isolated environments (containers, VMs, or CI runners) without access to production credentials or SSH keys.
• Audit AI context files: Treat .cursorrules, CLAUDE.md, and similar files as security-critical. Require code review for any changes, and scan them for hidden Unicode.

Organizational Policies

• Least-privilege credentials: Developer machines should not have production AWS keys or broad SSH access. Use short-lived tokens, role-based access, and dedicated CI environments.
• Vet AI tool configurations: Establish policies for what AI assistant configuration files are allowed in your repositories and who can modify them.
• Incident response: If you find TrapDoor indicators (packages from the lists above, .cursorrules files you didn’t create, or unexpected cron jobs), assume compromise. Rotate all credentials, revoke GitHub tokens, and audit cloud access logs.

Bottom Line

The TrapDoor supply chain attack isn’t just another entry in the long list of software supply chain compromises. It’s a blueprint for how adversaries will target the AI-assisted development workflows that millions of developers now rely on.

The campaign exploited three simultaneous trends: the trust developers place in package registries, the aggressive context-reading behavior of AI coding assistants, and the gap in security tooling that still treats configuration files as low-risk artifacts. By combining traditional credential theft with AI prompt injection, TrapDoor achieves something new: it weaponizes the tools meant to help you code.

The good news? Detection is possible. Socket‘s median 5-minute detection time shows that behavioral analysis can catch these campaigns early. The attacker also made mistakes—GitHub flagged hidden Unicode in PRs, and the cross-registry pattern ultimately connected isolated packages into a recognizable campaign.

But the arms race is just beginning. As AI assistants gain more autonomy—running tests, deploying code, managing infrastructure—the attack surface will expand. Adversaries are already experimenting. TrapDoor proves they’re not just theorizing; they’re shipping.

Audit your projects today. Check your dependencies, scan your .cursorrules and CLAUDE.md files, and treat AI assistant configurations with the same skepticism you’d apply to executable code. The next TrapDoor supply chain attack won’t be a research note. It’ll be a headline about a company that lost its infrastructure because an AI assistant was tricked into “helping.”

References and further reading

• Socket.dev — supply-chain security platform that detected TrapDoor
• Snyk — developer security platform
• GitHub Dependabot
• npm audit
• pip-audit
• cargo audit
• Claude Code
• Cursor
• GitHub
• GitHub Pages
• GitHub Gists
• Crates.io
• PyPI
• npm
• AWS
• Ethereum
• Sui
• Solana
• Aptos

• ← Previous Post
• Next Post →