A supply chain campaign called TrapDoor has been active since May 19, and it’s doing something I haven’t seen documented at this scale before: it doesn’t just steal your credentials — it recruits your AI assistant to do it for you.
Here’s what happened, why it matters, and what to check right now.
What is TrapDoor
TrapDoor is an active supply chain campaign distributing credential-stealing malware across npm, PyPI, and Crates.io. Analysis of confirmed artifacts places the actual start of the campaign on May 19, 2026 — three days before the first reported date — with 384 artifact versions distributed across 34 malicious packages.
The packages were published in waves from a cluster of accounts in rapid succession. TrapDoor targets developers from the crypto, DeFi, Solana, and AI communities. The malicious packages are designed to steal development secrets, crypto wallets, SSH keys, cloud credentials, browser data, and environment variables.
Up to this point, nothing unusual. What’s unusual is the persistence vector they chose.
The AI poisoning vector
AI-assisted development environments like Cursor and Claude Code read workspace files to understand project context. Files like .cursorrules and CLAUDE.md exist specifically to give instructions to the AI: what code standards to follow, what commands to use, how to format output. They’re configuration files for your AI pair programmer.
TrapDoor exploits this trust relationship exactly.
The attacker uses zero-width Unicode characters to obfuscate malicious prompts, tricking the AI into executing hostile credential exfiltration under the guise of an automated “security scan” of the project.
The files appear blank or harmless to a human reading them. But they’re loaded with hidden characters — zero-width spaces and bidirectional Unicode control characters, positioned precisely within the file. They’re invisible in most text editors and terminals. The AI model, however, reads them.
This is a significant escalation. Your cat, your git diff, your code review — none of it shows anything odd. The AI executes the instructions anyway.
The exfiltration targets
Target data includes SSH keys, Sui/Solana/Aptos wallet keystores, AWS credentials, GitHub tokens, browser login databases, crypto wallet extension data, environment variables, API keys, and local development configuration files.
The npm payload actively calls AWS and GitHub APIs to confirm whether the collected tokens are valid, filtering high-value credentials before exfiltration. This isn’t indiscriminate scraping — the attacker is validating and prioritizing.
Intercepted keystore data is XORed and sent to GitHub Gists controlled by the attacker’s account ddjidd564. GitHub Gists as an exfiltration endpoint is clever: the traffic looks like ordinary GitHub API calls, which most corporate firewalls won’t block.
The escalation into open source
This is the part that concerns me most from an organizational risk perspective.
The attacker used the GitHub account ddjidd564 to submit deceptive pull requests with poisoned configuration files to high-profile open source AI projects like LangChain, MetaGPT, and OpenHands. The PRs attempted to add .cursorrules or CLAUDE.md files under innocent titles like “docs: add .cursorrules with dev standards and build verification.”
If that approach had succeeded at scale, the AI agents in those projects would have been silently exfiltrating credentials from developers’ machines during normal workflows.
The strategy is clear: get malicious configuration merged into popular open source projects, and every developer who clones those repos receives a compromised AI context file. From there the attack scales without needing to publish more packages.
What worked: detection speed
Socket detected these TrapDoor releases with a median detection time of 5 minutes and 27 seconds, effectively classifying the entire campaign as malicious before it could achieve mass adoption.
That’s genuinely good. But “classified before mass adoption” isn’t the same as “nobody installed it.” Some packages had already been removed while others remained live. If your team installed anything between May 19 and 25 from the affected ecosystems without going through a blocked dependencies registry, you need to audit.
What to check right now
If any developer on your team installed packages from npm, PyPI, or Crates.io during May 19–25, the following steps are not optional:
1. Scan your AI context files for hidden Unicode:
cat -v .cursorrules CLAUDE.md AGENTS.md 2>/dev/null
Any non-printable characters in those files should be treated as a compromise indicator.
2. Check for known TrapDoor packages:
# npm
npm ls 2>/dev/null | grep -E "wallet-security-checker|defi-threat-scanner|token-usage-tracker|prompt-engineering-toolkit|llm-context-compressor"
# PyPI
pip list 2>/dev/null | grep -E "eth-security-auditor|cryptowallet-safety|defi-risk-scanner"
3. Rotate credentials immediately if you find anything:
Rotate AWS credentials, GitHub tokens, and SSH keys. Check repositories and home directories for recently modified or unexpected .cursorrules and CLAUDE.md files. Treat any unexplained changes in those files as a security incident, not documentation drift.
4. Audit your open source contributions: If you maintain a repository that received a PR from ddjidd564, close it immediately and audit whether any content was merged.
5. Treat CI/CD as potentially exposed: The stolen SSH keys are used for lateral movement, potentially exposing CI/CD pipelines, private repositories, and downstream deployment infrastructure.
The structural problem
Socket researchers found an AUDIT-MATRIX.md document within the attacker’s GitHub Pages repository. The file describes the operation as a “Universal AI Agent Extraction Framework” and details a phased workflow for capability detection, data extraction, self-replication, and telemetry reporting.
This wasn’t improvised. Someone specifically designed a framework to weaponize coding AI assistants, then executed a coordinated cross-ecosystem campaign to deploy it.
The broader implication: your development environment’s attack surface now includes every file your AI tools read. .cursorrules, CLAUDE.md, AGENTS.md, system prompt files in any project you clone — they’re all vectors now. Standard CVE-based scanners have no visibility here. This operates below the detection floor of most security tooling in use today.
We’re going to see more of this.
Sources: Socket Security · The Hacker News · Phoenix Security