TrapDoor: The Supply Chain Attack Hiding in CLAUDE.md
34 malicious packages across npm, PyPI, and Crates.io hide invisible prompts in CLAUDE.md and .cursorrules to weaponize AI coding assistants.
Socket Security disclosed a coordinated supply chain campaign called TrapDoor that ships malicious packages across npm, PyPI, and Crates.io. 34 packages, 384 versions, with new releases pushed every few minutes during the rollout. The earliest package showed up on May 22, 2026. What sets this campaign apart from earlier typosquatting waves is who it targets and how it gets in.
What TrapDoor does
Packages masquerade as helpful tools for crypto, DeFi, Solana, Sui and Move, AI, and security developers. Names like wallet-security-checker, llm-context-compressor, and sui-sdk-build-utils.
The npm packages use postinstall hooks to run trap-core.js, a payload of roughly 1,149 lines that scans for secrets and validates them against AWS and GitHub APIs.
The PyPI packages execute on import, then pull a remote JavaScript stage via node -e.
The Crates.io packages plant malicious build.rs scripts that fire during cargo build, exfiltrating wallet keystores to GitHub Gists with XOR encryption.
Persistence gets planted across the system in Git hooks, shell rc files, cron jobs, and systemd units.
How it weaponizes AI coding assistants
This is where TrapDoor breaks new ground. The campaign plants invisible instructions inside .cursorrules and CLAUDE.md files using zero-width Unicode characters. A developer opening the file sees nothing. The AI assistant reads every character and obediently runs "security scans" that trigger the exfiltration logic.
The attacker has gone further and submitted pull requests to popular AI projects including LangChain and LlamaIndex, trying to seed these files upstream. The playbook, hosted on a GitHub account called ddjidd564, openly names the technique the "Universal AI Agent Extraction Framework" and tags the operation with marker P-2024-001.
The exposure for vibe-coded projects
Vibe-coded apps get built by stitching together AI-suggested packages at speed. The whole workflow assumes the AI assistant is making safe choices and the packages it recommends are clean. TrapDoor breaks both assumptions in one move. It poisons the package layer and the assistant's instruction layer at the same time.
A typical vibe-coded project could end up with a postinstall hook firing before anyone opens the code, a build script siphoning keys on first compile, and a Unicode payload in CLAUDE.md telling the next AI agent to run a routine scan that quietly walks the filesystem.
What to do now
Audit your full dependency tree, including transitive packages, before each deploy. Rotate any AWS keys, GitHub tokens, and SSH keys that lived in environments where suspect packages may have been installed. Open .cursorrules, CLAUDE.md, and any other agent instruction files in a tool that surfaces invisible Unicode. Move to minimal-dependency builds where possible and consider delayed install for production. For projects with significant AI involvement, run a manual black-box audit before they ship.
Automated scanners catch known signatures. TrapDoor was built to slide past them and to weaponize the tools developers trust most. Manual audits exist because someone still has to read the code with hostile assumptions in mind, which is the exact stance these campaigns are engineered to bypass.