Security researchers at Socket have uncovered TrapDoor, one of the most sophisticated supply chain attacks of 2026 — a coordinated campaign deploying 34 malicious packages across npm, PyPI, and Crates.io simultaneously, targeting developers in the crypto, DeFi, AI, and security communities.
Key Highlights
- 34 malicious packages and 384+ versions spread across npm (21), PyPI (7), and Crates.io (6)
- Steals crypto wallet keys, SSH keys, AWS credentials, GitHub tokens, browser data, and environment variables
- First observed May 22, 2026; attackers actively pushed new releases even after takedowns
- Median detection time by Socket: 5 minutes, 27 seconds — fastest detection was 58 seconds after publication
- Attackers submitted malicious pull requests to LangChain, LlamaIndex, MetaGPT, OpenHands, and browser-use
A New Attack Vector: AI Coding Assistants
What makes TrapDoor especially alarming is its deliberate targeting of AI coding assistants like Cursor and Claude. The malicious packages plant modified .cursorrules and CLAUDE.md files containing hidden instructions encoded with zero-width Unicode characters. When a developer opens the infected project and uses an AI assistant, the assistant reads those files as trusted configuration — and may unknowingly execute commands that exfiltrate secrets.
The attacker also opened pull requests on major open-source AI projects — LangChain, LlamaIndex, MetaGPT, OpenHands, and browser-use — attempting to inject these malicious config files directly into codebases used by millions of developers worldwide.
How the Attack Works
TrapDoor uses ecosystem-native execution paths to maximize infection:
- npm: Postinstall hooks execute a 1,149-line credential harvester (
trap-core.js) that validates stolen AWS and GitHub tokens via live API calls, then attempts SSH-based lateral movement across the developer's network - PyPI: Packages auto-execute on import, downloading and running JavaScript payloads from an attacker-controlled GitHub Pages domain via
node -e - Crates.io: Malicious
build.rsscripts search for local wallet keystores, XOR-encrypt them with the keycargo-build-helper-2026, and exfiltrate the data to GitHub Gists
Persistence is established through multiple vectors: .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd services, and cron jobs — making cleanup difficult after initial compromise.
Targeted Package Names
Packages were crafted with names that appear legitimate to developers in the affected communities:
npm examples: crypto-credential-scanner, prompt-engineering-toolkit, solidity-deploy-guard, llm-context-compressor, wallet-security-checker
PyPI examples: eth-security-auditor, defi-risk-scanner, cryptowallet-safety
Crates.io examples: sui-move-build-helper, move-compiler-tools, sui-framework-helpers
What You Should Do
If you installed any npm, PyPI, or Crates.io packages from unfamiliar sources in the past week:
- Audit your lockfiles and check installed packages against the full IOC list published by Socket
- Rotate credentials immediately: SSH keys, AWS credentials, GitHub tokens, and any crypto wallet passphrases
- Check for unexpected files: Look for
.cursorrulesorCLAUDE.mdfiles you did not create in your project roots - Review CI/CD pipelines for signs of credential exfiltration or unexpected outbound traffic
- Pin exact package versions — avoid using
^orlatestin your dependency specifications
Background
Supply chain attacks targeting developer registries have grown sharply in 2026. What separates TrapDoor from prior campaigns is the combination of cross-ecosystem reach, AI assistant hijacking, and real-time credential validation — attackers verify stolen tokens are still active before exfiltrating, maximizing the value of each compromise.
Socket's security team classified all 34 packages as malicious and reported findings to the npm, PyPI, and Crates.io registries. Monitoring for new packages tied to the same infrastructure continues.
Source: Socket Security