TrapDoor Targets 34 Packages Across npm, PyPI and Crates.io to Steal Crypto Keys and Poison AI Assistants
| Group | Attribution unconfirmed. Publisher accounts: npm (asdxzxc), PyPI (asdmini67, dae5411). Campaign marker P-2024-001. |
| Type | Cross-ecosystem supply chain credential stealer with AI assistant poisoning component |
| CVEs | None assigned. CWE-506 (Embedded Malicious Code) applies across all 34 packages. |
| Malware | trap-core.js — 1,149-line npm credential harvester (48,485 bytes); Crates.io build.rs stealer using XOR key cargo-build-helper-2026; PyPI remote-hosted JavaScript payload fetched from attacker GitHub Pages on import |
| Score | 🔴 9.5 Critical. Active credential theft across three ecosystems with confirmed lateral movement, irreversible crypto wallet compromise, and a novel AI assistant poisoning technique with no CVE assigned and no vendor patch available. |
| Observed | May 2026. Earliest confirmed artifact May 19, 2026. First widely reported May 25, 2026 (Socket Security, The Hacker News). |
Overview
TrapDoor is an active cross-ecosystem supply chain campaign distributing credential-stealing malware across npm, PyPI, and Crates.io. Socket Security identified the operation across 34 malicious packages and 384 versions, with the earliest confirmed artifact — the PyPI package crypto-credential-scanner — dated May 19, 2026. The campaign targets developers in crypto, DeFi, Solana, and AI communities: environments where SSH keys, AWS credentials, GitHub tokens, and blockchain wallet keystores routinely coexist on the same workstation.
The packages impersonate plausible developer utilities. Names like mnemonic-safety-check, solidity-deploy-guard, and defi-threat-scanner read exactly like tools a blockchain developer would install without a second thought. Once installed, each package executes its malicious payload through an ecosystem-specific delivery path before any user interaction occurs: postinstall hooks in npm, import-time execution in PyPI, and build.rs compile-time scripts in Crates.io. No user needs to run anything. The act of installing or building is enough.
What distinguishes TrapDoor from a standard malicious package campaign is its deliberate weaponisation of AI coding assistants. The shared npm payload trap-core.js plants .cursorrules and CLAUDE.md files in project directories, embedding hidden instructions using zero-width Unicode characters (U+200B, U+200C, U+200D, U+FEFF). Those characters are invisible in any standard text editor. Tools such as Cursor and Claude Code parse the full Unicode stream and act on the embedded directives, triggering a fake "security scan" that silently discovers and exfiltrates local secrets. The attacker also opened pull requests to major open-source AI repositories — including LangChain, LlamaIndex, MetaGPT, and OpenHands — to propagate the poisoned config files to every developer who subsequently clones those repositories.
TrapDoor carries no CVE. Traditional package scanners searching for known-vulnerable version histories return zero findings across all 34 packages. The threat is the code embedded inside the packages themselves. For any team relying on CVSS-based prioritisation, this campaign is effectively invisible without behavioral IOC matching against SBOM data.
Key Details
Delivery Method — Ecosystem-specific silent execution: postinstall hooks (npm), import-time node -e calls to remote JavaScript (PyPI), and Rust build.rs compile-time scripts (Crates.io). No user interaction required beyond package installation or project build.
Target — Blockchain and AI developers worldwide using npm, PyPI, and Crates.io, with specific sub-targeting of Sui and Move developers (Crates.io wave), Ethereum and Solana wallet holders, and users of AI coding assistants including Cursor and Claude Code.
Functions
- Scans local filesystem for SSH keys, AWS credential files, GitHub tokens, browser profile databases, crypto wallet extensions, and environment variables
- Validates stolen AWS and GitHub tokens in real time via live API calls before exfiltration, filtering for high-value credentials
- Exfiltrates credentials to attacker-controlled infrastructure including GitHub Gists (Crates.io path) and
filev2.getsession[.]org - Plants
.cursorrulesandCLAUDE.mdfiles containing zero-width Unicode directives that hijack AI coding assistants into running a fake security scan which exfiltrates secrets - Establishes multi-vector persistence via systemd user services, cron jobs, Git pre-push hooks, and shell RC modifications
- Modifies
~/.ssh/authorized_keysto grant persistent SSH access - Reuses stolen SSH keys for automated lateral movement to connected systems
- Opens fraudulent pull requests to major AI open-source repositories to propagate poisoned config files
Obfuscation — Zero-width Unicode characters (U+200B, U+200C, U+200D, U+FEFF) embedded in .cursorrules and CLAUDE.md files render the malicious instructions invisible in standard editors while remaining fully parsed by AI coding tools. PyPI packages host their payloads externally on attacker-controlled GitHub Pages, decoupling malicious logic from the registry artifact and allowing the attacker to update behavior without publishing a new package version.
Attack Vectors
The campaign unfolded in four documented phases. Phase 1 (May 19–21): Eleven crypto and DeFi-themed npm packages were published to the asdxzxc npm publisher account with postinstall hooks executing early credential harvesting logic. Packages used iterative versioning at high cadence, suggesting active development during the live campaign window. Phase 2 (May 22–23): Ten AI and dev-tool-themed npm packages were added, carrying the full trap-core.js payload along with .cursorrules and CLAUDE.md persistence artifacts. The package dev-env-bootstrapper served as both credential harvester and config delivery mechanism. Concurrent with this phase, the attacker opened pull requests to browser-use/browser-use, langchain-ai/langchain, langflow-ai/langflow, run-llama/llama_index, FoundationAgents/MetaGPT, and OpenHands/OpenHands. Each PR was titled "docs: add .cursorrules with dev standards and build verification" and pointed to ddjidd564.github.io/defi-security-best-practices/config.json while embedding the P-2024-001 campaign marker. GitHub flagged the PR files as containing hidden or bidirectional Unicode text.
Phase 3 (May 22–24): Seven PyPI packages were released under publishers asdmini67 and dae5411. Each package auto-executes on import, fetching a remote JavaScript payload from ddjidd564.github.io and running it via node -e. Hosting the payload externally decouples the delivery vehicle from the malicious logic: packages can remain in developers' lockfiles indefinitely while the server-side behavior is updated without any new registry release. Phase 4 (May 24): Six Crates.io packages targeting Sui and Move blockchain developers were published. Each contains a build.rs script that fires during cargo build, scans for local Sui, Solana, and Aptos wallet keystores, encrypts the data with the hardcoded XOR key cargo-build-helper-2026, and exfiltrates the output to GitHub Gists. Because build.rs executes at compile time, most dependency analysis tooling does not inspect Rust build scripts for outbound network activity.
Following initial compromise via any of these paths, trap-core.js calls AWS STS GetCallerIdentity and GitHub /user API endpoints in real time to confirm whether harvested credentials are valid. Only confirmed high-value tokens are exfiltrated, reducing detection noise. Stolen SSH keys are then reused by an automated lateral movement routine, transforming a single compromised developer workstation into a persistent gateway into the broader corporate environment.
Known Indicators of Compromise
Indicators may vary across campaigns and malware samples. Verify all IOCs against current threat feeds before actioning.
Attacker Infrastructure
| Indicator | Type | Notes |
|---|---|---|
ddjidd564[.]github[.]io | C2 / payload host | Hosts trap-core.js, config.json, AUDIT-MATRIX.md |
ddjidd564[.]github[.]io/defi-security-best-practices/ | Config endpoint | Referenced in .cursorrules files planted via PRs |
filev2.getsession[.]org | Exfiltration endpoint | Credential exfiltration for npm payload path |
git-tanstack[.]com | Typosquat C2 | Exfiltration and payload delivery (single source — verify before blocking) |
83.142.209[.]194 | C2 IP | Confirmed C2 associated with PyPI Mistral AI package (single source — verify) |
hxxps://git-tanstack[.]com/transformers[.]pyz | Payload URL | Remote Python artifact delivery (single source — verify before blocking) |
Attacker Accounts
| Indicator | Type | Notes |
|---|---|---|
asdxzxc | npm publisher | Source of all 21 npm malicious packages |
asdmini67 | PyPI publisher | Source of first four PyPI packages |
dae5411 | PyPI publisher | Source of later PyPI packages |
ddjidd564 | GitHub account | Hosts payload infrastructure; opened fraudulent PRs |
Campaign Markers and Files
| Indicator | Type | Notes |
|---|---|---|
P-2024-001 | Campaign marker | Embedded in .cursorrules, CLAUDE.md, and config.json files |
trap-core.js (48,485 bytes) | Payload file | 1,149-line npm credential harvester |
cargo-build-helper-2026 | XOR encryption key | Hardcoded in all Crates.io build.rs payloads |
AUDIT-MATRIX.md | Attacker playbook | Documents 'Universal AI Agent Extraction Framework' |
Malicious npm Packages (Wave 1 — Crypto and DeFi, May 19–21)
| Package | Type | Publisher |
|---|---|---|
crypto-credential-scanner | npm credential stealer | asdxzxc |
wallet-backup-verifier | npm credential stealer | asdxzxc |
defi-threat-scanner | npm credential stealer | asdxzxc |
wallet-security-checker | npm credential stealer | asdxzxc |
chain-key-validator | npm credential stealer | asdxzxc |
defi-env-auditor | npm credential stealer | asdxzxc |
eth-wallet-sentinel | npm credential stealer | asdxzxc |
mnemonic-safety-check | npm credential stealer | asdxzxc |
solidity-deploy-guard | npm credential stealer | asdxzxc |
web3-secrets-detector | npm credential stealer | asdxzxc |
deployment-key-auditor | npm credential stealer | asdxzxc |
Malicious npm Packages (Wave 2 — AI and Dev-Tool, May 22–23)
| Package | Type | Publisher |
|---|---|---|
dev-env-bootstrapper | npm stealer with AI poisoning | asdxzxc |
project-init-tools | npm stealer with AI poisoning | asdxzxc |
workspace-config-loader | npm stealer with AI poisoning | asdxzxc |
node-setup-helpers | npm stealer with AI poisoning | asdxzxc |
build-scripts-utils | npm stealer with AI poisoning | asdxzxc |
llm-context-compressor | npm stealer with AI poisoning | asdxzxc |
token-usage-tracker | npm stealer with AI poisoning | asdxzxc |
model-switch-router | npm stealer with AI poisoning | asdxzxc |
prompt-engineering-toolkit | npm stealer with AI poisoning | asdxzxc |
async-pipeline-builder | npm stealer with AI poisoning | asdxzxc |
Malicious PyPI Packages (May 22–24)
| Package | Type | Publisher |
|---|---|---|
cryptowallet-safety | PyPI remote-hosted stealer | asdmini67 |
defi-risk-scanner | PyPI remote-hosted stealer | asdmini67 |
eth-security-auditor | PyPI remote-hosted stealer | asdmini67 |
solidity-build-guard | PyPI remote-hosted stealer | asdmini67 |
env-loader-cli | PyPI remote-hosted stealer | dae5411 |
git-config-sync | PyPI remote-hosted stealer | dae5411 |
data-pipeline-check | PyPI remote-hosted stealer | dae5411 |
Malicious Crates.io Packages (May 24)
| Package | Type | Publisher |
|---|---|---|
sui-move-build-helper | Rust build.rs wallet stealer | Unknown |
sui-framework-helpers | Rust build.rs wallet stealer | Unknown |
sui-sdk-build-utils | Rust build.rs wallet stealer | Unknown |
move-analyzer-build | Rust build.rs wallet stealer | Unknown |
move-compiler-tools | Rust build.rs wallet stealer | Unknown |
move-project-builder | Rust build.rs wallet stealer | Unknown |
Persistence Artifacts
| Persistence Vector | Location | Purpose |
|---|---|---|
.cursorrules | Project root | Poisons Cursor AI with hidden credential-exfil instructions |
CLAUDE.md | Project root | Poisons Claude Code with hidden zero-width Unicode directives |
| Git pre-push hook | .git/hooks/pre-push | Executes payload on every git push from the compromised repository |
| Shell hook | ~/.bashrc, ~/.zshrc | Executes payload on every new shell session |
| systemd service | ~/.config/systemd/user/ | Maintains persistence across reboots |
| Cron job | User crontab | Scheduled re-execution of harvesting payload |
SSH authorized_keys | ~/.ssh/authorized_keys | Grants attacker persistent SSH access; enables lateral movement |
MITRE ATT&CK Techniques
| Technique ID | Technique Name | Application in This Campaign |
|---|---|---|
| T1195.001 | Supply Chain Compromise: Software Dependencies | 34 malicious packages published across npm, PyPI, and Crates.io impersonating legitimate development utilities |
| T1059 | Command and Scripting Interpreter | Postinstall hooks (npm), node -e remote fetch (PyPI), and build.rs scripts (Crates.io) execute credential harvesting logic during standard developer workflows |
| T1552.001 | Unsecured Credentials: Credentials In Files | Systematic filesystem scan for ~/.aws/credentials, ~/.ssh/id_rsa, browser profile databases, .env files, and crypto wallet extension data |
| T1098.004 | Account Manipulation: SSH Authorized Keys | trap-core.js modifies ~/.ssh/authorized_keys to grant persistent attacker SSH access |
| T1053.003 | Scheduled Task/Job: Cron | Cron job planted for scheduled re-execution of credential harvesting payload |
| T1543.002 | Create or Modify System Process: Systemd Service | systemd user service created at ~/.config/systemd/user/ for persistence across reboots |
| T1021.004 | Remote Services: SSH | Stolen SSH keys reused for automated lateral movement to connected systems |
| T1564.001 | Hide Artifacts: Hidden Files and Directories | Zero-width Unicode characters (U+200B, U+200C, U+200D, U+FEFF) used to conceal malicious directives inside .cursorrules and CLAUDE.md config files |
| T1041 | Exfiltration Over C2 Channel | Confirmed credentials exfiltrated to filev2.getsession[.]org and GitHub Gists via encrypted payloads |
| T1505.004 | Server Software Component: IIS Components | Git pre-push hooks planted in .git/hooks/pre-push to execute payload on every repository push |
Mitigation and Prevention
Audit Lockfiles Immediately
Any team using npm, PyPI, or Crates.io should audit all lockfiles — package-lock.json, yarn.lock, Pipfile.lock, and Cargo.lock — against the full list of 34 malicious packages documented above. Check both package names and version ranges. If a match is found, treat the machine and any CI/CD environment that executed the build as compromised.
Rotate All Credentials on Affected Machines
Any workstation or CI pipeline that installed a flagged package should be treated as fully compromised regardless of observed behavior. Rotate AWS access keys, GitHub personal access tokens, and any other API keys present as environment variables or in credential files. SSH key pairs must be replaced and authorized_keys updated on every server those machines previously accessed.
Scan Config Files for Hidden Unicode
Inspect all .cursorrules and CLAUDE.md files in project directories for zero-width Unicode content. The following command detects hidden characters without executing any suspect code:
grep -rP '[\x{200B}\x{200C}\x{200D}\x{FEFF}]' . --include='.cursorrules' --include='*.md'Any file that returns hits should be deleted and regenerated from trusted content. Do not rely on visual inspection of these files in an editor.
Remove Persistence Artifacts
On machines where flagged packages were installed, check for and remove all of the following: systemd user services in ~/.config/systemd/user/, cron jobs (via crontab -l), Git hooks at .git/hooks/pre-push, and injected lines in .bashrc and .zshrc. Restore SSH authorized_keys from a known-good backup and verify no unknown keys were added.
Disable Postinstall Scripts in CI Pipelines
In CI/CD environments where full audit is not immediately possible, apply npm config set ignore-scripts true as a temporary mitigation to prevent postinstall hooks from executing during builds. Test this setting against your full pipeline before rolling it out broadly, as some legitimate packages use postinstall hooks for compilation steps.
Block Attacker Infrastructure at the Perimeter
Block outbound traffic from all developer workstations and CI environments to ddjidd564.github.io. Monitor for outbound connections to GitHub Gists (gist.github.com) originating from cargo build processes, and for AWS STS or GitHub /user API calls originating from npm install or pip install steps in CI pipelines.
Enforce AI Coding Tool Config Allowlisting
Configure AI coding tools including Cursor and Claude Code to restrict which repositories and directories they trust .cursorrules and CLAUDE.md files from. Any config files not explicitly authored by your team and tracked in version control should be treated as suspect. Review AI tool policy settings to ensure project config files from external sources cannot silently direct the assistant.
Restrict Crates.io Dependency Sources
For Rust projects, pin all Crates.io dependencies to exact versions and manually review the build.rs files of any Sui or Move tooling packages before allowing them into production builds. Add SAST rules that flag build.rs files containing outbound network calls or filesystem reads outside the expected Cargo build output directory.
Risk Assessment
TrapDoor represents a significant escalation in supply chain attack sophistication. The campaign's credential validation step separates it from lower-tier infostealers: the npm payload actively queries AWS STS GetCallerIdentity and the GitHub /user API in real time before exfiltrating credentials, filtering for tokens that actually work. A validated AWS token can unlock an entire cloud environment. A validated GitHub token exposes private repositories, CI secrets, and deployment pipelines. For Crates.io victims targeting Sui and Aptos blockchain platforms, the impact is potentially irreversible — on-chain asset theft cannot be disputed or reversed through any institutional mechanism.
The AI assistant poisoning component is genuinely novel at this scale of deployment. Prior research had demonstrated that .cursorrules and CLAUDE.md files could be weaponised to redirect AI coding tool behavior, but TrapDoor is the first confirmed campaign to deliver this technique via supply chain at mass scale and to attempt to propagate it into major open-source repositories via fraudulent pull requests. If any of those PRs had been merged before detection, every developer cloning LangChain, LlamaIndex, or MetaGPT who uses an AI coding assistant would have had their local environment silently infected without installing any malicious package directly.
Socket detected the campaign packages with a median detection time of 5 minutes and 27 seconds. That speed likely prevented wider adoption, but given that 384 artifact versions were released across a six-day window before public disclosure, the actual install count remains unknown. The attacker's AUDIT-MATRIX.md operational playbook explicitly describes a "Universal AI Agent Extraction Framework" with staged capability detection, data extraction, and self-replication phases — suggesting this campaign is one execution of an architecture intended for repeated use.
Conclusion
If your team works in crypto, DeFi, Solana, or AI development and uses npm, PyPI, or Crates.io, the immediate priority is auditing lockfiles against the 34 package IOCs listed above and scanning project directories for .cursorrules and CLAUDE.md files containing hidden Unicode. On any machine where a match is found, assume full credential compromise and rotate everything.
TrapDoor demonstrates two compounding trends that defenders need to track together. First, supply chain attackers are increasingly operating across ecosystems in parallel, deploying ecosystem-specific execution paths to maximise reach from a single campaign infrastructure. Second, the weaponisation of AI coding assistant context files is now confirmed as a live attack vector in the wild, not a theoretical risk. As AI tooling becomes standard in developer workflows, project config files parsed silently in the background become an attack surface that traditional security scanning has no visibility into. The answer is not to stop using AI tools but to treat AI context files with the same scrutiny applied to any other executable configuration.
Sources
- Socket Security — TrapDoor Crypto Stealer Supply Chain Attack Full Analysis (May 2026)
- The Hacker News — TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO (May 25, 2026)
- Phoenix Security — TrapDoor Supply Chain Campaign: Cross-Ecosystem Credential Theft and AI Assistant Poisoning (May 25, 2026)
- Cyber Security News — Hackers Compromised 34 Packages in npm, PyPI, and Crates in New Supply Chain Attack (May 25, 2026)
- Rescana — TrapDoor Supply Chain Attack Actively Exploiting npm, PyPI, and CratesIO (May 2026)
- Phoenix Security — Critical CI/CD Nightmare: 3 CWE-78 Flaws in Claude Code CLI Allow Credential Exfiltration (April 2026)
Ghost Post Title (paste into Ghost title field): TrapDoor Puts 34 Packages Across npm, PyPI and Crates.io to Work Stealing Crypto Keys and Poisoning AI Assistants
Alternative Titles
- 34 Malicious Packages Across npm, PyPI and Crates.io Are Stealing Your SSH Keys and Hijacking Your AI Assistant
- TrapDoor Supply Chain Attack Targets Blockchain and AI Developers Across Three Package Ecosystems
- The Supply Chain Attack That Makes Your AI Coding Assistant Steal Your Own Credentials
- TrapDoor Brings AI Assistant Poisoning to the Supply Chain in a 34-Package Cross-Ecosystem Campaign
- Crypto Wallet Keys, SSH Credentials and Cloud Tokens Under Active Theft in New npm and PyPI Supply Chain Campaign