Quick summary
- Socket researchers discovered "TrapDoor" - a coordinated supply chain attack spanning npm, PyPI and Crates.io
- 34 malicious packages across 384+ versions designed to steal SSH keys, crypto wallets, AWS credentials and API tokens
- Attackers embed invisible Unicode characters in .cursorrules and CLAUDE.md files that AI coding tools read as instructions
- The AI runs a fake "security scan" that silently exfiltrates everything on the developer's machine
- Real pull requests were opened against LangChain, LlamaIndex, MetaGPT and OpenHands to plant these files
- Persistence mechanisms include Git hooks, systemd services, cron jobs and SSH-based lateral movement
- If your team uses Cursor, Claude Code or similar AI tools, audit your repos for these files immediately
If you use AI coding assistants - Cursor, Claude Code, GitHub Copilot, Cline - there is something you need to understand right now. Attackers have figured out how to weaponise the configuration files these tools rely on, and the technique is both simple and difficult to spot.
On May 24, 2026, security researchers at Socket published their findings on a campaign they're tracking as TrapDoor. It spans three major package registries, targets developers in crypto, DeFi, AI and security communities, and uses a method that turns your AI assistant into an unwitting accomplice.
The Attack Vector: Files Your AI Trusts Implicitly
Here is the core problem. Tools like Cursor and Claude Code read project-level configuration files - .cursorrules, CLAUDE.md, .github/copilot-instructions.md - to understand how they should behave in a given repository. These files tell the AI what coding conventions to follow, what frameworks to prefer, how to structure output.
Developers trust these files because they wrote them. Or they think they did.
The TrapDoor attackers embed instructions using zero-width Unicode characters. These are invisible in any standard text editor or code review interface. A human looking at the file sees normal configuration. The AI sees hidden directives telling it to run a "security scan" - which is actually a credential harvester.
What gets stolen: SSH keys, crypto wallet data (Sui, Solana, Aptos), AWS credentials, GitHub tokens, browser login databases, environment variables, API keys and local development configuration files. The npm payload also validates stolen AWS and GitHub credentials using API calls to filter out expired tokens.
How TrapDoor Actually Works
The campaign is not a single trick. It is a coordinated, multi-ecosystem operation.
npm: Postinstall Hooks and Persistent Harvesting
21 malicious npm packages use postinstall hooks to deploy a shared payload called trap-core.js - a 1,149-line credential harvester. Once installed, it scans for secrets, validates stolen credentials against AWS and GitHub APIs, and plants persistence through multiple vectors: .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd services, cron jobs and SSH.
The SSH component is worth noting specifically. The malware reuses stolen SSH keys to attempt lateral movement into other systems. A single compromised development machine can become a bridge into production infrastructure.
Package names include prompt-engineering-toolkit, llm-context-compressor, dev-env-bootstrapper and workspace-config-loader. Names deliberately chosen to look like the sort of thing a developer would install without thinking twice.
PyPI: Remote JavaScript Execution on Import
7 malicious PyPI packages auto-execute on import. They download JavaScript from an attacker-controlled GitHub Pages domain and run it using node -e. By hosting the payload externally, the attacker can update behaviour without publishing a new PyPI release.
Crates.io: Build Script Exfiltration
6 Rust packages targeting Sui and Move developers use build.rs - which runs automatically during compilation - to search for local keystores, encrypt them using a hardcoded XOR key, and exfiltrate them to GitHub Gists. The code runs before the developer even calls any package function.
They Opened Real PRs to Major AI Projects
This was not just about publishing packages. The attacker's GitHub account (ddjidd564) opened pull requests against real, widely-used projects:
- LangChain (langchain-ai/langchain)
- LlamaIndex (run-llama/llama_index)
- MetaGPT (FoundationAgents/MetaGPT)
- OpenHands (OpenHands/OpenHands)
- browser-use (browser-use/browser-use)
- Langflow (langflow-ai/langflow)
The PRs had titles like "docs: add .cursorrules with dev standards and build verification" and "docs: add CLAUDE.md with dev standards and build verification." Boring, harmless-looking documentation changes. The kind of PR that might get merged without close scrutiny in a busy open source project.
Had any of these been merged, every developer who cloned the repository would have had invisible malicious instructions loaded into their AI coding assistant automatically.
The Attacker Published Their Own Playbook
In a detail that borders on brazen, the attacker's GitHub Pages repository contains an AUDIT-MATRIX.md document describing a "Universal AI Agent Extraction Framework." It outlines staged workflows for capability detection, data extraction, self-replication and telemetry reporting.
The document includes a "disguise layer" that maps credential theft to benign-sounding tasks: security audits, wallet safety checks, cloud configuration validation, repository security reviews. This mirrors the campaign's broader approach - present extraction as helpful developer automation.
Why This Matters Beyond Crypto
The TrapDoor campaign targeted crypto developers because that is where the immediate money is. Steal a wallet keystore and you can drain it in minutes. But the technique - poisoning AI configuration files with invisible instructions - works against any team using AI coding tools.
Think about what sits on a typical developer's machine. Cloud credentials. Database connection strings. API keys for payment processors. SSH keys to production servers. Internal documentation. Customer data in local development databases.
Now think about how many teams have adopted Cursor or Claude Code in the past twelve months without updating their security review process to account for AI-specific attack surfaces.
What You Should Do Right Now
1. Audit Your Repositories
Search every repository your team works on for .cursorrules, CLAUDE.md, and .github/copilot-instructions.md files. Open them in a hex editor, not a text editor. Look for zero-width characters (U+200B, U+200C, U+200D, U+FEFF, U+2060). If you find any, treat it as a security incident.
2. Review Recent Pull Requests
Check your project's PR history for any additions of AI configuration files from external contributors. These files should be treated with the same scrutiny as changes to CI/CD pipelines or deployment scripts.
3. Pin Your Dependencies
If you are using any of the packages listed in Socket's report, remove them immediately. More broadly, review recently added dependencies - particularly anything installed in the past week that sounds like a developer utility or security tool.
4. Update Your Code Review Process
AI configuration files need to be in your code review checklist. Any PR that adds or modifies .cursorrules, CLAUDE.md, or similar files should require explicit approval from a security-aware reviewer.
5. Consider a Supply Chain Security Tool
Socket detected TrapDoor within six minutes of the first packages appearing. Tools like Socket, Snyk and npm audit provide automated scanning that catches malicious packages before they reach your codebase.
The Broader Signal
This is not an isolated incident. The "Rules File Backdoor" technique was first documented by Pillar Security in February 2025. What we are seeing now is the weaponised, production-grade version - coordinated across ecosystems, with persistence mechanisms, lateral movement capability and an operational playbook.
AI coding assistants are becoming standard development tools. They are also becoming standard attack surfaces. The gap between how much trust these tools place in configuration files and how much scrutiny those files receive is a vulnerability that will continue to be exploited.
The organisations that adapt their security practices to account for AI-specific vectors will avoid becoming case studies. The ones that do not will find out the hard way that the code their AI wrote was following someone else's instructions.
Frequently Asked Questions
What are .cursorrules and CLAUDE.md files?
These are project-level configuration files used by AI coding assistants (Cursor and Claude Code respectively) to set behaviour, coding conventions and project-specific instructions. They are loaded automatically when the AI works in a repository.
How do invisible Unicode characters work in this attack?
Zero-width Unicode characters (like U+200B and U+FEFF) take up no visible space in text editors or code review tools. Humans cannot see them. AI models, however, process them as part of the input and follow any instructions they encode.
Which packages were affected?
Socket identified 34 malicious packages across npm (21 packages), PyPI (7 packages) and Crates.io (6 packages). The full list is available in Socket's TrapDoor research report.
Is my team at risk if we use Cursor or Claude Code?
If your team uses any AI coding assistant that reads project configuration files, you should audit your repositories. The risk is highest if you have installed unfamiliar npm, PyPI or Cargo packages recently, or if external contributors have added AI configuration files to your projects.
How was the attack detected?
Socket's automated scanning detected the malicious packages within six minutes of their first appearance on registries. The connection between npm, PyPI and Crates.io packages was identified through shared infrastructure, specifically an attacker-controlled GitHub Pages domain and the campaign marker P-2024-001.