TrapDoor hits 34 packages and turns AI coding configs into attack paths

Developer machines are the target surface again, and TrapDoor shows how quickly that surface now stretches beyond package scripts. Socket says the campaign began on May 22, 2026 at 20:20:18 UTC and spread more than 34 malicious packages across npm, PyPI, and Crates.io, covering more than 384 versions. The packages were aimed at crypto, DeFi, Solana, Sui, Move, security, and AI development workflows where wallet files, SSH keys, cloud credentials, and GitHub tokens often sit close to the build environment.

The campaign matters because it was built for multiple ecosystems at once. According to Socket's report, 21 npm packages used postinstall hooks to run a shared trap-core.js payload. Seven PyPI packages executed on import, fetched JavaScript from an attacker-controlled GitHub Pages domain, and ran it through node -e. Six Crates.io packages used Rust build.rs scripts, which execute during compilation, to search for local cryptocurrency keystores and exfiltrate encrypted data.

The malware did not stop at collecting files. The npm payload scanned for credentials, checked AWS and GitHub tokens against live APIs, planted Git and shell hooks, created cron jobs and systemd services, and attempted lateral movement with stolen SSH keys. That is a full developer-workstation compromise path, not a narrow package scare. A successful install could expose source repositories, deployment secrets, CI/CD tokens, cloud accounts, and wallets from the same machine.

The newer attack path is aimed at AI-assisted coding. TrapDoor wrote .cursorrules and CLAUDE.md files containing hidden instructions designed to make AI coding assistants treat secret discovery and exfiltration as a security scan. Socket also observed pull requests into projects including LangChain, Langflow, LLaMA Index, MetaGPT, OpenHands, and browser-use that attempted to introduce .cursorrules files with hidden Unicode and links to attacker infrastructure. That turns workspace context into part of the execution chain.

This is why the incident is more than another malicious-package list. AI coding assistants are trained by workflow to read nearby files, infer developer intent, and act across repositories. If an attacker can land an instruction file in a trusted repo, the assistant may become the bridge between inert text and privileged action. The human developer may never run an obviously suspicious command; the agent can be nudged to do the dangerous discovery work while appearing to follow local project guidance.

Teams should treat any install of the named packages as a potential compromise. Lock files, package caches, shell history, Git hooks, ~/.gitconfig, cron entries, systemd units, unexpected .cursorrules files, and CLAUDE.md changes all deserve review. Exposed SSH keys, GitHub tokens, AWS and cloud credentials, npm publish tokens, and wallet material should be rotated rather than debated.

The broader lesson is structural. Registry-specific scanners are too narrow for a build workstation that mixes JavaScript, Python, Rust, crypto tooling, and AI agents. npm audit will not reason about a Rust build script, and a Python scanner will not see an npm postinstall hook or an assistant instruction file. In the agent era, supply-chain defense has to inspect code, install-time behavior, and the files that tell coding assistants what to do.