On 22 May 2026, a coordinated malware campaign called TrapDoor landed across three package registries at once — npm, PyPI, and Crates.io. Within 48 hours, 36 malicious packages spanning 384 versions had been published, each designed to steal developer credentials, crypto wallets, and cloud secrets. But the truly novel part was not the credential harvesting. It was that TrapDoor also poisoned AI coding assistants, turning Cursor and Claude Code into unwitting accomplices.
This is not a theoretical attack chain. It happened last week. Here is what your team needs to know.
TL;DR
- TrapDoor is the first coordinated supply chain attack to hit npm, PyPI, and Crates.io simultaneously, with 36 malicious packages across 384+ versions
- Each ecosystem was exploited using its native execution hooks — postinstall (npm), import-time execution (PyPI), and build.rs (Crates.io)
- The campaign injected poisoned
.cursorrulesandCLAUDE.mdfiles with zero-width Unicode characters to trick AI coding assistants into exfiltrating secrets - Attacker opened pull requests to major AI projects (LangChain, MetaGPT, OpenHands) attempting to merge poisoned AI configuration files
- Development teams must audit AI assistant configuration files, lock down build hooks, and treat
.cursorrules/CLAUDE.mdas security-sensitive artefacts
Three Registries, One Campaign, Zero Hesitation
Previous supply chain attacks have typically targeted a single ecosystem. TrapDoor broke that pattern. The attacker — operating from the GitHub account ddjidd564 — published packages across npm, PyPI, and Crates.io in rapid waves, starting at 20:20 UTC on 22 May. The packages were carefully named to appeal to developers working in crypto, DeFi, Solana, and AI: names like crypto-credential-scanner, eth-wallet-sentinel, defi-risk-scanner, and llm-context-compressor.
The approach was ecosystem-native. Each package used the execution mechanism most natural to its registry, making detection harder for teams that only monitor one language ecosystem.
How Each Ecosystem Was Weaponised
npm: Postinstall Hooks and a 1,149-Line Harvester
The 21 npm packages used postinstall hooks to execute trap-core.js, a 48KB credential harvester. On execution, it scanned the developer’s machine for SSH keys, AWS credentials, GitHub tokens, crypto wallet data, browser profiles, and environment variables. It validated stolen AWS and GitHub tokens via live API calls to confirm they were active before exfiltrating them. It then established persistence through cron jobs, systemd services, Git hooks, and — critically — attempted SSH-based lateral movement to other machines the developer had access to.
PyPI: Import-Time Execution with Remote Payloads
The seven PyPI packages auto-executed on import — no explicit function call required. Rather than embedding the full payload, they fetched and ran JavaScript from an attacker-controlled GitHub Pages domain using node -e. This meant the attacker could update malicious behaviour after publication without releasing a new package version, effectively creating a living payload that security scanners would struggle to fingerprint.
Crates.io: build.rs as a Weapon
The six Rust crates abused build.rs, which executes automatically during compilation. The malicious build scripts searched for local Sui, Solana, and Aptos keystores, encrypted the data using XOR with the hardcoded key cargo-build-helper-2026, and exfiltrated the encrypted bundles to GitHub Gists. For Rust developers, the attack surface is particularly insidious: build.rs runs before your code even compiles, and most developers never audit it in their dependencies.
The AI Poisoning Vector: This Is the New Frontier
What sets TrapDoor apart from every prior supply chain attack is its deliberate targeting of AI coding assistants. The campaign installed .cursorrules and CLAUDE.md files containing hidden instructions obfuscated with zero-width Unicode characters. These instructions were designed to trick AI assistants into performing a "security scan" — which in reality triggered the discovery and exfiltration of secrets on the developer’s machine.
Think about what this means in practice. A developer installs what appears to be a legitimate package. It drops a .cursorrules file into their project. The next time they open the project in Cursor or interact with Claude Code, the AI reads the poisoned configuration and follows the embedded instructions — potentially accessing and exposing credentials that the developer never explicitly shared.
The attacker did not stop at package distribution. They opened pull requests to major open-source AI projects including LangChain, LangFlow, LlamaIndex, MetaGPT, and OpenHands, proposing innocuous-sounding changes like "docs: add .cursorrules with dev standards" while embedding the malicious configurations. Had any of these PRs been merged, every contributor to those projects would have been exposed.
Why This Matters More Than Previous Supply Chain Attacks
We have covered supply chain security extensively on this blog — from the TanStack GitHub Actions compromise to the Laravel-Lang git tag rewriting attack. TrapDoor represents an escalation on three fronts:
- Cross-ecosystem coordination. Attacking three registries simultaneously means your Python team, your JavaScript team, and your Rust team all need to respond in parallel. Siloed security monitoring misses it.
- AI as attack surface. Developer tooling configuration files —
.cursorrules,CLAUDE.md,.editorconfig— have historically been treated as benign. TrapDoor proves they are now security-critical artefacts. - Living payloads. The PyPI packages fetched remote JavaScript at runtime, meaning the malicious behaviour could change after your security scan gave the all-clear.
What Your Development Team Should Do Right Now
1. Audit AI Configuration Files
Add .cursorrules, CLAUDE.md, .github/copilot-instructions.md, and similar AI assistant configuration files to your code review checklist. Scan for zero-width Unicode characters and unexpected URLs. These files should be treated with the same scrutiny as .env files.
2. Lock Down Build Hooks
For npm, configure ignore-scripts=true in your .npmrc and whitelist packages that genuinely need postinstall scripts. For Rust, audit build.rs files in new dependencies before compilation. For Python, review packages that execute code on import.
3. Implement Cross-Ecosystem Dependency Scanning
If your project spans multiple language ecosystems — and most modern projects do — your security scanning must cover all of them. Tools like Socket.dev, Snyk, and Dependabot each have different coverage. Ensure no ecosystem is a blind spot.
4. Monitor for Lateral Movement Indicators
TrapDoor’s npm payload attempted SSH-based lateral movement and established persistence via cron jobs and systemd services. Monitor developer workstations for unexpected scheduled tasks, new SSH connections, and unfamiliar Git hooks.
5. Rotate Credentials If Exposed
If any of the 36 malicious packages were installed — even briefly — assume compromise. Rotate SSH keys, AWS credentials, GitHub tokens, and any crypto wallet keys that were accessible on the affected machine.
The Bigger Picture: AI Assistants Need a Security Model
TrapDoor exposes a gap that the industry has been slow to address. AI coding assistants read and act on configuration files in developer workspaces. Those files can be introduced through packages, pull requests, or even cloned repositories. Yet there is no standardised security model for what an AI assistant should and should not execute from workspace configuration.
Until that model exists, development teams need to treat AI configuration files as part of their attack surface. Code review processes need to explicitly flag changes to these files. CI/CD pipelines should scan for them. And developers need to understand that their AI assistant, helpful as it is, will faithfully follow instructions from any configuration file it finds — including malicious ones.
Need Help Securing Your Development Pipeline?
At REPTILEHAUS, we help development teams build secure CI/CD pipelines, implement dependency governance, and harden their toolchains against supply chain attacks. Whether you need a security audit of your existing setup or want to build resilient practices from the ground up, get in touch — our team specialises in exactly this kind of work.
