TrapDoor Supply-Chain Attack Hits npm, PyPI, and Crates.io — and Poisons AI Coding Assistants

TrapDoor is the supply-chain wave's first documented attempt to weaponize the AI coding assistant itself — the attack surface now includes not just the package and the pipeline, but the AI in the developer's loop.

SAN FRANCISCO, CALIFORNIA — Researchers at Socket disclosed TrapDoor, a coordinated cross-ecosystem supply-chain attack that simultaneously targeted npm, PyPI, and Crates.io to distribute credential-stealing malware. By Socket's count, the campaign planted more than 34 malicious packages across over 384 versions — 21 on npm, 7 on PyPI, and 6 on Crates.io — with its earliest activity timestamped May 22, 2026, at 20:20 UTC and packages published in rapid waves from a cluster of accounts.

TrapDoor's most novel element is not the theft but the target: the campaign plants poisoned `.cursorrules` and `CLAUDE.md` files — the instruction files that tools like Cursor and Claude Code read to guide their behavior — containing hidden instructions designed to trick AI coding assistants. The attacker, using the GitHub account `ddjidd564`, also submitted deceptive pull requests carrying those poisoned config files to prominent open-source AI projects, including LangChain, MetaGPT, and OpenHands. The disclosure was anchored by Socket's primary research and documented across the May 24-25, 2026 coverage cycle.

What Happened

Researchers at Socket disclosed TrapDoor, a coordinated supply-chain attack that did something no prior 2026 campaign had: it hit npm, PyPI, and Crates.io at the same time. By Socket's count, the operation planted more than 34 malicious packages across over 384 versions — 21 on npm, 7 on PyPI, and 6 on Crates.io — with the earliest activity timestamped May 22, 2026, at 20:20 UTC and packages pushed out in rapid waves from a cluster of accounts. The campaign targets developers in the crypto, DeFi, Solana, and AI communities, and it tailors its execution to each ecosystem: a `build.rs` build script in Rust, a `postinstall` hook in npm, and import-time execution in Python. Each path achieves the same end — running the attacker's code on the developer's machine as a side effect of a routine install or build.

Once it runs, TrapDoor is a broad credential stealer. Socket's research documents exfiltration of SSH keys; Sui, Solana, and Aptos wallet keystores; AWS credentials; GitHub tokens; browser login databases; crypto-wallet-extension data; environment variables; API keys; and local development configuration files. The campaign's most novel element sits alongside that theft: TrapDoor plants poisoned `.cursorrules` and `CLAUDE.md` files containing hidden instructions designed to trick AI coding assistants. The attacker, operating from the GitHub account `ddjidd564`, also submitted deceptive pull requests carrying those poisoned config files to prominent open-source AI projects, including LangChain, MetaGPT, and OpenHands. Socket's own monitoring caught TrapDoor releases quickly — an average of 5 minutes 56 seconds after publication, with a fastest detection of 58 seconds — but rapid detection does not undo what an install has already executed.

The Novel Move: Poisoning the AI in the Developer's Loop

Strip away the package count and the credential list, and what makes TrapDoor matter is a single technique: it does not just target the developer's machine, it targets the developer's AI assistant. The campaign plants .cursorrules and CLAUDE.md files — the instruction files that tools like Cursor and Claude Code read to guide their behavior — and fills them with hidden instructions intended to trick those assistants. Those files are not executable in the conventional sense; they are configuration, the project-level guidance an AI coding tool consults before it writes, edits, or runs anything. By poisoning them, the attacker is trying to enlist the developer's AI assistant as an unwitting accomplice. The brief is precise about a limit here: what those hidden instructions actually direct an AI assistant to do has not been detailed in the disclosure, and this account does not speculate beyond it. The point that is confirmed is the target — the instruction file, and therefore the assistant that reads it.

The Deceptive Pull Requests to LangChain, MetaGPT, and OpenHands

TrapDoor's operator did not stop at packages. Using the GitHub account ddjidd564, the attacker submitted deceptive pull requests carrying the poisoned .cursorrules and CLAUDE.md files to prominent open-source AI projects — Socket names LangChain, MetaGPT, and OpenHands. The strategic logic is the same one behind every supply-chain attack on a widely used dependency: a poisoned instruction file inside a project that thousands of developers pull would propagate the trick far beyond a single victim. Whether those pull requests were merged or caught in review has not been reported, and this article makes no claim either way — submitting a malicious PR and landing one are very different outcomes. What is confirmed is the attempt, and the attempt is itself the news: an attacker treating the AI-instruction files of major open-source AI projects as a distribution channel. It joins the broader 2026 supply-chain wave and the parallel multi-package supply-chain campaign as evidence that operators are systematically probing every trust path into the developer's workflow.

Ecosystem-Specific Execution Across Three Registries

TrapDoor is the first 2026 supply-chain campaign documented to span three registries at once, and it does so by speaking each ecosystem's native language. On Crates.io, the Rust registry, it uses a build.rs build script — code that the Cargo toolchain runs at compile time. On npm, it uses a postinstall hook, which runs automatically the moment a package is installed. On PyPI, it relies on import-time execution, so the malicious code fires when a Python file imports the package. Three different mechanisms, one outcome: attacker code running on the developer's machine without an explicit, deliberate launch. That cross-ecosystem coordination is the structural lesson. It arrives the same week as the same week's cross-manifest supply-chain attack, and against the backdrop of the registry-level defenses now rolling out against this attack class — a reminder that no single registry's defenses can contain a campaign that spans all of them.

Scope and Impact

The reason TrapDoor is more than a noisy package spray is the breadth of what it collects. The exfiltration list runs from SSH keys and AWS credentials to GitHub tokens, API keys, environment variables, browser login databases, and local development configuration files — the full working set of secrets a developer's machine accumulates. For its named target communities the list sharpens further: TrapDoor specifically pulls Sui, Solana, and Aptos wallet keystores and crypto-wallet-extension data, which is what makes it a direct threat to the funds, not just the credentials, of developers in crypto, DeFi, and Solana projects. A keystore on a compromised machine is an asset waiting to be drained.

Several specifics remain unconfirmed, and this account does not imply otherwise. The identity of the threat actor behind TrapDoor has not been established, and the campaign is not attributed here to any named group. The total number of developers and projects that installed a TrapDoor package has not been reported, nor has whether the registries have removed all 384 malicious versions. Whether the deceptive pull requests to LangChain, MetaGPT, and OpenHands were merged or caught in review is not known. And the downstream impact — confirmed credential theft versus packages caught early — has not been quantified. Socket's fast detection times are encouraging, but exposure is not the same as containment.

What is not in question is the company TrapDoor keeps. The campaign joins a dense run of 2026 supply-chain operations — Shai-Hulud, Megalodon, Laravel-Lang, and the Packagist package.json attack among them — but it is the first to span npm, PyPI, and Crates.io simultaneously. It lands alongside the npm supply-chain worm wave and the broader collision of AI tooling and security. A separate, unrelated operation called "Trapdoor" — an Android ad-fraud scheme — appeared in earlier reporting; that is a distinct campaign and should not be conflated with this package-supply-chain attack.

Response and Attribution

For developers in crypto, DeFi, Solana, and AI projects, the immediate action is an audit. Review recent dependency installs across npm, PyPI, and Crates.io for any package pulled after May 22, 2026, 20:20 UTC from an unfamiliar publisher, and pin dependencies to known-good versions. If a TrapDoor package ran on a machine, treat that machine as compromised: rotate SSH keys, AWS credentials, GitHub tokens, and API keys, and immediately move assets out of any Sui, Solana, or Aptos wallet whose keystore was present on it. Enable real-time package scanning in blocking mode so a malicious release is stopped before it installs, not flagged after.

For teams using AI coding assistants such as Cursor and Claude Code, TrapDoor adds a genuinely new item to the checklist: treat .cursorrules and CLAUDE.md as security-sensitive files. A poisoned instruction file is a poisoned assistant, so those files belong under code review and change-control like any executable configuration. Scrutinize pull requests that add or modify them — TrapDoor's operator submitted exactly those as deceptive PRs — and if you maintain an open-source project, audit your AI-instruction files now and check pull-request history for unexplained changes. For SOC and threat-hunting teams, the hunt is concrete: look for build.rs running network or credential-collection code at Rust build time, npm postinstall hooks doing the same, and Python packages executing collection logic at import. Watch for exfiltration of wallet keystores and browser login databases from developer endpoints, and add the GitHub handle ddjidd564 and Socket's published package list to your indicator set.

For CISOs, TrapDoor marks a real expansion of the supply-chain threat model. The AI coding assistant is now an attack surface, which means AI-instruction files need governance — ownership, review, and change-control — the same as any other high-trust configuration. And the cross-ecosystem coordination, with npm, PyPI, and Crates.io hit in a single campaign, confirms that supply-chain defense cannot be language-siloed. A program that secures the JavaScript dependency graph but leaves Rust and Python under separate, weaker controls is defending a perimeter the attacker has already learned to walk around.

The CyberSignal Analysis

Signal 01 — The AI Assistant Is Now an Attack Surface

Most coverage of TrapDoor will lead with the numbers — 34-plus packages, three registries, 384 versions — and the scale is genuinely notable. But the detail that deserves the spotlight is the poisoned instruction file. For the first documented time in the 2026 supply-chain wave, an attacker has built a campaign around weaponizing the AI coding assistant itself. The .cursorrules and CLAUDE.md files are how tools like Cursor and Claude Code learn what a project expects of them; poison those files, and the attacker is no longer just running code on the machine, but attempting to bend the developer's AI helper to a hostile purpose. That is a category shift. The supply-chain threat model has always assumed the attack surface is the package and the pipeline. TrapDoor adds a third element — the AI in the loop — and once an attacker can influence what the assistant is told, the assistant's privileges, access, and trust become the attacker's to borrow.

Signal 02 — Instruction Files Need the Governance of Executable Config

The practical lesson of TrapDoor is narrow and immediately actionable: AI-instruction files are security-sensitive, and most teams do not yet treat them that way. A .cursorrules or CLAUDE.md file typically lives in a repository with the same casual review as a README — a documentation-adjacent file that a reviewer skims or skips. TrapDoor is built precisely around that blind spot. Its operator submitted poisoned instruction files as pull requests, betting that a file that looks like project guidance will pass review that a file full of executable code would not. The fix is to close the asymmetry: put .cursorrules and CLAUDE.md under code review, change-control, and CODEOWNERS, and treat any pull request that adds or modifies them as a change to executable configuration — because, functionally, that is what it is. For maintainers of open-source AI projects, the same logic applies in reverse: audit the AI-instruction files already in your repository and check their pull-request history now.

Signal 03 — Supply-Chain Defense Cannot Be Language-Siloed

TrapDoor's other structural lesson is the one hiding in its three-registry footprint. Earlier 2026 campaigns — Shai-Hulud, Megalodon, Laravel-Lang, the Packagist attack — each largely lived inside one ecosystem, which let defenders reason about them one registry at a time. TrapDoor breaks that comfort. The same operator, in the same campaign, shipped malicious packages to npm, PyPI, and Crates.io, adapting the execution mechanism to each — a postinstall hook, an import-time trigger, a build.rs script — while keeping one objective. For organizations, this confirms that a supply-chain program scoped to a single language is a program with a gap the attacker already knows about. Dependency scanning, install-time blocking, and provenance checks have to cover every registry a team pulls from, not just the dominant one. The attacker has gone cross-ecosystem; the defense has to be cross-ecosystem to match.

Sources