A new supply chain campaign has been caught trying to turn AI coding assistants against the developers who use them.
Socket researchers have identified an active cross-ecosystem campaign they are tracking as TrapDoor, spanning more than 34 malicious packages and over 384 versions and artifacts across npm, PyPI, and Crates.io.
The packages posed as generic developer tools and security scanners, with names chosen to blend into the crypto, DeFi, Solana, and AI developer communities the campaign targeted.
The standout technique was the abuse of AI-facing project files. TrapDoor plants modified .cursorrules and CLAUDE.md files, the configuration files that steer AI coding assistants like Cursor and Claude Code.
The instructions were hidden in zero-width Unicode characters, designed to coax those assistants into scanning for and exfiltrating sensitive files on the developer’s behalf.
Socket noted the AI-directed approach may not work reliably across every model and tool. Socket described the AI-directed approach as experimental. But it signals where credential-theft tradecraft is heading: not just tricking the developer, but tricking the developer’s assistant.
A Coordinated Push Across Three Registries
Beneath the AI hook, TrapDoor was a disciplined operation. The earliest package Socket observed was the PyPI upload eth-security-auditor 0.1.0, published May 22, 2026, after which packages rolled out in waves across all three registries and were updated repeatedly through the weekend.
Each registry got a tailored execution path. The npm packages fired a postinstall hook that executed a shared 1,149-line payload. The PyPI packages then executed remote JavaScript on import. The Crates.io packages abused build.rs build scripts during Rust compilation, targeting Sui and Move developers as the code compiled.
After execution, TrapDoor targeted Sui, Solana, and Aptos wallet keys and keystores, SSH keys, browser profiles, API keys, AWS environment variables, and GitHub tokens.
The malware also reused stolen SSH keys to automate lateral movement, turning one compromised device into a foothold for reaching further across a network. Persistence was established through systemd services, cron jobs, Git hooks, and shell hooks.
Socket said it detected TrapDoor releases with a median time of five minutes and 27 seconds after publication, classifying the campaign as malicious well before wide adoption. Some malicious versions remained live in public registries at the time of writing.
The campaign lands the same day that GitHub rolled out new npm security controls aimed at this category of attack, including staged publishing, which lets maintainers approve a release before it goes public.
Those controls harden the publishing side, but TrapDoor runs its npm payload at install time on the developer’s machine, a vector the new controls were not designed to address.
