TrapDoor Attack: Malware Hits npm, PyPI & Crates.io

If you install open-source packages — and every developer does — there’s a fresh campaign you need to know about. It’s called TrapDoor, and it’s notable for two reasons: it hit three package ecosystems at once, and it deliberately poisons AI coding assistants like Cursor and Claude Code.

Researchers flagged the campaign starting May 22, 2026. As of now it spans 34+ malicious packages across 384+ versions on npm, PyPI, and Crates.io. The goal is straightforward and nasty: steal developer credentials and crypto wallet keys.

What is the TrapDoor supply chain attack?

TrapDoor is a coordinated, cross-ecosystem credential-stealing campaign. Instead of targeting one package manager, the attackers published malicious packages to npm (JavaScript), PyPI (Python), and Crates.io (Rust) simultaneously.

The packages masquerade as legitimate libraries aimed at developers in the crypto, DeFi, Solana, and AI communities — exactly the people most likely to have valuable wallet keys and cloud credentials sitting on their machines.

According to Socket’s research team, the earliest malicious version went live on May 22 at 8:20 p.m. UTC, with new packages published in waves since.

How it runs on your machine

TrapDoor adapts its execution trigger to each ecosystem, which is what makes it dangerous across the board:

npm: uses postinstall hooks — the malicious code runs the moment you npm install the package, before you’ve even imported it.
PyPI: auto-executes on import — the second your Python code does import <package>, the payload fires.
Crates.io: uses a Rust build script (build.rs) — the code runs during compilation.

The common thread: in all three cases, you don’t have to use the library for the attack to succeed. Installing or building is enough. That’s the worst kind of supply chain malware because normal “I’ll just look at it first” caution doesn’t help.

The new twist: poisoning AI coding assistants

Here’s what sets TrapDoor apart from the dozens of credential-stealers that came before it. The malware deliberately targets AI coding assistants by modifying their configuration files.

Specifically, it tampers with .cursorrules (Cursor’s project rules file) and CLAUDE.md (the project-context file Claude Code reads). The attackers inject malicious instructions into these files using zero-width Unicode characters — invisible characters that don’t show up when you eyeball the file but are still read by the AI.

The point is to turn your own AI assistant against you. If your coding agent reads a poisoned CLAUDE.md or .cursorrules, it can be manipulated into suggesting or executing harmful actions while looking like it’s following project instructions. Phoenix Security documented this AI-poisoning behavior in detail.

This is one of the first widely-reported supply chain campaigns to treat AI dev tooling as an attack surface. Expect to see a lot more of it.

What it steals

Once it runs, TrapDoor is a comprehensive infostealer. Confirmed targets include:

SSH private keys
Crypto wallet keystores for Sui, Solana, and Aptos
AWS credentials
GitHub tokens
Browser login databases (saved passwords)
Crypto wallet browser extension data
Environment variables
API keys
Local development configuration files

For a developer working in crypto or AI, that’s basically the keys to the kingdom — wallet funds, cloud infrastructure, source code repositories, and production secrets, all in one sweep.

Who’s affected and how bad is it?

If you’ve installed packages from npm, PyPI, or Crates.io since May 22 — particularly anything crypto, DeFi, Solana, or AI-tooling related — you’re in the potential blast radius.

The good news: detection has been fast. Socket reported catching TrapDoor releases in an average of 5 minutes and 56 seconds after publication, with the fastest catch at 58 seconds. That rapid detection limits how long each malicious package stays live, but it doesn’t help if you happened to install during that window.

What to do right now

Five steps, in order:

Audit recent installs. Review anything you installed from npm, PyPI, or Crates.io since May 22, especially crypto/AI-related packages. Check install logs and lockfile changes.
Inspect your AI config files. Open .cursorrules and CLAUDE.md in your projects. Because the injected content uses zero-width Unicode, view them in a hex editor or run them through a tool that reveals invisible characters — don’t trust a normal text-editor glance.
Rotate credentials if you have any doubt. SSH keys, AWS keys, GitHub tokens, API keys. If you installed a suspect package, assume these leaked and rotate them.
Move crypto funds if wallets were on the machine. If you hold Sui, Solana, or Aptos keys locally and installed anything questionable, transfer funds to a fresh wallet immediately.
Pin and verify dependencies going forward. Use lockfiles, enable a supply-chain scanner (Socket, Snyk, etc.), and disable install scripts where you can (npm install --ignore-scripts for inspection).

The bigger pattern

TrapDoor isn’t happening in isolation. It landed in the same window as the Mini Shai-Hulud worm, which compromised hundreds of npm packages and even Microsoft’s durabletask Python SDK by hijacking GitHub Actions pipelines.

The throughline: open-source supply chains are now a primary battleground, and attackers are automating the whole process — mass-publishing, cross-ecosystem targeting, and now poisoning the AI tools developers lean on. The old advice (“only install trusted packages”) is getting harder to follow when trusted packages get hijacked at the source.

Frequently asked questions

What is the TrapDoor malware campaign?

TrapDoor is a cross-ecosystem software supply chain attack that distributed 34+ malicious packages across 384+ versions on npm, PyPI, and Crates.io starting May 22, 2026. It steals developer credentials and crypto wallet keys, and notably poisons AI coding assistant config files.

How does TrapDoor infect a developer’s machine?

It runs automatically on package install or import: npm via postinstall hooks, PyPI via auto-execution on import, and Crates.io via the Rust build.rs build script. You don’t need to actively use the library — installing or building it is enough to trigger the payload.

What does TrapDoor steal?

SSH keys, crypto wallet keystores (Sui, Solana, Aptos), AWS credentials, GitHub tokens, browser-saved passwords, crypto wallet extension data, environment variables, API keys, and local dev config files.

How does TrapDoor target AI coding assistants?

It modifies .cursorrules and CLAUDE.md files using zero-width Unicode characters to hide malicious instructions. These invisible prompts can manipulate AI assistants like Cursor and Claude Code into harmful behavior while appearing to follow normal project rules.

How can I tell if a package is part of TrapDoor?

Use a supply-chain security scanner like Socket or Snyk, which flagged TrapDoor packages within minutes of publication. Manually, be suspicious of new or recently-updated crypto/DeFi/Solana/AI packages with install or build scripts, and audit anything installed since May 22, 2026.

Should I stop using npm, PyPI, or Crates.io?

No — that’s not realistic. Instead, pin dependencies with lockfiles, enable a supply-chain scanner, inspect packages with install scripts disabled (npm install --ignore-scripts), and rotate credentials if you suspect exposure. The ecosystems themselves aren’t the problem; unvetted automatic installs are.

Bottom line

TrapDoor is a sign of where supply chain attacks are heading: multi-ecosystem, automated, and now aimed at the AI tools sitting between you and your code. If you work in crypto or AI development, audit your recent installs, check your CLAUDE.md and .cursorrules for hidden characters, and rotate anything you can’t vouch for.

Sources

Last updated: May 26, 2026.

Tagged AI security, credential theft, developer security, malware, npm, PyPI, supply chain attack