On May 22, 2026, a single PyPI upload named eth-security-auditor quietly opened the door to one of the most novel supply chain campaigns of the year. Within days, Socket researchers had catalogued 34 malicious packages and 384 versions across npm, PyPI, and Crates.io, all tied to a single operator dubbed TrapDoor. What sets TrapDoor apart from earlier package-registry attacks is not its scale. It is the first widely observed campaign to deliberately weaponize AI coding assistants like Cursor and Claude Code as an exfiltration channel.
If your team uses AI pair-programming tools and pulls open-source dependencies, this attack is aimed squarely at you.
What TrapDoor Is, in 60 Seconds
TrapDoor is a multi-ecosystem crypto and credential stealer that masquerades as developer security tooling. The bait packages are named to look indispensable: wallet-security-checker, defi-threat-scanner, solidity-deploy-guard, prompt-engineering-toolkit, sui-move-build-helper. A developer searching for a quick audit helper installs one, and the payload fires immediately.
The campaign targets four overlapping communities at once:
- Crypto and DeFi developers building on Solana, Sui, Aptos, and EVM chains
- AI and agent developers using LangChain, LlamaIndex, MetaGPT, browser-use, OpenHands
- DevOps engineers running CI/CD pipelines with cached dependencies
- Solo founders and indie devs who often install unaudited packages on primary work machines
Three Ecosystems, Three Execution Paths
TrapDoor's authors customized the trigger mechanism for each registry, which is unusual sophistication for an opportunistic stealer.
npm — postinstall hooks. Once you run npm install, the package fires a postinstall script that loads trap-core.js, a 1,149-line payload using Fernet and ECDH encryption for command-and-control traffic. No need to import the package; installation alone is enough.
PyPI — import-time execution. The malicious code runs the first time you import the module in any script, even a one-line test. The payload then pulls additional JavaScript from GitHub Pages, allowing the operator to push new logic without publishing a new version.
Crates.io — build.rs side-channel. This is the most insidious. Rust's build.rs script runs during cargo build, before your code ever calls the dependency. A simple cargo check on a project that lists the package is enough to compromise the developer machine. The Crates payload uses XOR encryption with the hardcoded key cargo-build-helper-2026 and specifically targets Sui and Move keystores.
The New Frontier: Poisoning .cursorrules and CLAUDE.md
Here is where TrapDoor breaks new ground.
Once the payload lands, it does not just exfiltrate today's secrets. It plants hidden instructions inside .cursorrules and CLAUDE.md files using zero-width Unicode characters that are invisible in editors but readable by AI coding assistants. The instructions trick Cursor, Claude Code, and similar tools into running a fake "security scan" the next time the developer opens the project. The scan silently exfiltrates SSH keys, AWS credentials, GitHub tokens, browser session data, and any wallet keystores it can find — all under the cover of legitimate AI assistant activity.
The operator behind TrapDoor even documented this approach in a file called AUDIT-MATRIX.md, hosted on GitHub Pages and described as a "Universal AI Agent Extraction Framework." The same operator (ddjidd564) opened pull requests against real AI repositories — LangChain, LlamaIndex, MetaGPT, browser-use, OpenHands — hoping a maintainer would merge a poisoned CLAUDE.md into the canonical project.
This is a meaningful shift. Until now, supply chain attackers had to keep their payload small and quiet to avoid detection. TrapDoor instead delegates the loud work to the developer's own AI agent, which runs with the developer's permissions and trust.
What TrapDoor Steals
The harvest list reads like a complete dossier of modern developer life:
- SSH private keys from
~/.ssh - AWS credentials and environment variables
- GitHub and GitLab tokens
- Browser logins and crypto wallet extension data (MetaMask, Phantom, Backpack)
- Solana, Sui, and Aptos wallet keystores
- API keys for OpenAI, Anthropic, and major SaaS vendors
.env,.envrc, and local dev configuration files
Stolen credentials are validated live against the respective APIs before exfiltration, so the operator only stores keys that actually work.
Persistence — It Stays After You Uninstall
Removing the malicious package does not clean the machine. TrapDoor installs persistence through any of:
- Git hooks (
post-checkout,pre-commit) - Shell startup files (
.zshrc,.bashrc,.profile) - Cron jobs and
systemduser units - Poisoned
.cursorrulesandCLAUDE.mdleft in cloned repos
The .cursorrules vector is particularly nasty because the file gets committed and shared with teammates, turning a single compromised developer into a propagation point across the whole engineering org.
What to Audit Today
If you ship code, run these five checks before your next deploy.
1. Search lockfiles for known package names
grep -rE "wallet-security-checker|defi-threat-scanner|solidity-deploy-guard|prompt-engineering-toolkit|sui-move-build-helper|eth-security-auditor|cryptowallet-safety|defi-risk-scanner|chain-key-validator|move-compiler-tools" \
package-lock.json yarn.lock pnpm-lock.yaml requirements.txt poetry.lock Cargo.lock 2>/dev/nullAny hit means rotate everything and rebuild the machine from a clean image.
2. Inspect AI assistant config files for hidden Unicode
find . \( -name ".cursorrules" -o -name "CLAUDE.md" -o -name ".clinerules" \) \
-exec perl -ne 'print "$ARGV:$.: $_" if /[\x{200B}-\x{200F}\x{2028}-\x{202F}\x{FEFF}]/' {} \;Zero-width characters in an instruction file are a red flag, period. Legitimate config files do not need them.
3. Audit recent npm postinstall scripts
npm ls --all --json | jq '.dependencies | to_entries[] | select(.value.scripts.postinstall)'Cross-check anything with a postinstall against the package's published source on its registry page.
4. Disable build script execution by default
# pnpm
pnpm config set side-effects-cache false
pnpm config set enable-pre-post-scripts false
# npm
npm config set ignore-scripts trueRe-enable only for known-good packages. This single switch would have blocked the npm and Rust execution paths cold.
5. Rotate AI assistant API tokens
If your machine ran any of the listed packages in the last week, treat your Anthropic, OpenAI, GitHub, and cloud provider tokens as compromised. Rotate them and check audit logs for unexpected API calls.
Why This Matters for MENA Teams
Many engineering teams across Tunisia, Saudi Arabia, the UAE, and Egypt have adopted Cursor, Claude Code, and similar AI assistants over the last year, often faster than they have rolled out formal supply chain controls. TrapDoor's design assumes exactly that gap. The combination of fast AI tool adoption and slow security tooling adoption is the attacker's ideal substrate.
Concretely, what we recommend for our clients:
- Treat
.cursorrulesandCLAUDE.mdas security-sensitive files. Code review them on every change, same asDockerfileor.github/workflows/. - Require
ignore-scriptsby default in CI runners and lock package install behavior in the base image, not the project. - Set up Socket, Snyk, or
osv-scannerin pre-merge checks. Median time-to-detect for TrapDoor was under six minutes — your CI can catch a malicious package before it lands on a developer laptop. - Quarantine new dependencies for 24 hours before allowing them in production projects. Most supply chain payloads get pulled within hours of disclosure.
The Bigger Lesson
TrapDoor is the moment AI coding tools officially joined the supply chain attack surface. The economic logic for attackers is overwhelming: a single poisoned CLAUDE.md that gets committed to a popular repo can hijack hundreds of downstream agents, each with full read access to its developer's machine and cloud accounts. We should expect more of this, not less.
The defense is not to stop using AI coding tools — that ship has sailed. The defense is to bring the same engineering discipline we apply to Docker images, IAM policies, and CI runners to the configuration files our AI agents read. Pinned versions. Mandatory review. Static scanning for hidden Unicode. Least privilege for tokens. The basics still work; they just have to extend to the new surface.
If you would like a hands-on review of your team's AI tooling and dependency pipeline against the TrapDoor attack pattern, reach out to the Noqta security team. The next campaign is already being staged.