Notebookcheck Logo

TrapDoor set out to poison AI coding tools

Malicious packages detected across npm, PyPI, and Crates.io in the TrapDoor supply chain campaign.
ⓘ www.magnific.com
Malicious packages detected across npm, PyPI, and Crates.io in the TrapDoor supply chain campaign.
TrapDoor plants 34 malicious packages across npm, PyPI, and Crates.io targeting crypto and AI developers to steal wallets, SSH keys, and cloud credentials.
Desktop Workstation Security Software Laptop Hack / Data Breach

Thirty-four malicious packages. Three registries. Socket Security publicly named the campaign on May 25, 2026. The operation, codenamed TrapDoor, left its earliest traces on May 19, with the main wave arriving May 22 at 20:20 UTC. By the time Socket was published, 384 versions had been pushed across npm, PyPI, and Crates.io.

What TrapDoor steals and how it runs

The first confirmed package was eth-security-auditor on PyPI. Dozens followed quickly across all three registries from a cluster of accounts working in bursts. The naming is deliberate: prompt-engineering-toolkit, defi-threat-scanner, wallet-security-checker, solidity-deploy-guard. Each one passes for a routine utility in crypto, DeFi, Solana, or AI workflows. The payload is consistent across all 384 versions: crypto wallets, SSH keys, cloud credentials, AWS and GitHub tokens, browser data, and environment variables.

Npm packages drop trap-core.js via postinstall hooks. It validates stolen tokens against live AWS and GitHub endpoints and digs in through cron jobs, systemd, Git hooks, and SSH. PyPI packages fire on import, fetching a JavaScript payload from an attacker-controlled GitHub Pages domain, hosted externally so the attacker can update it without touching PyPI. Crates.io packages use a build.rs script, locate local keystores, and push XOR-encrypted data to GitHub Gists. Socket's median detection time was five minutes and 27 seconds. The weekend timing was intentional.

The AI coding threat

TrapDoor also plants .cursorrules and CLAUDE.md files into target repositories, hiding instructions inside zero-width Unicode characters. An AI coding assistant reading those files sees a routine security scan. Running it exfiltrates secrets from the local machine.

The attacker opened pull requests against BrowserUse, LangChain, and LangFlow to test whether those files would survive a normal code review. If they get merged, every developer who opens the repo with an AI coding tool becomes a target. The attack surface is the editor, not the registry.

For how developer tooling became the primary attack surface in 2026, see our coverage of the VS Code extension breach that hit GitHub, OpenAI, and Mistral AI:

Google LogoAdd as a preferred source on Google
Mail Logo

No comments for this article

Got questions or something to add to our article? Even without registering you can post in the comments!
No comments for this article / reply

static version load dynamic
Loading Comments
Comment on this article

Related Articles

Darryl Linington, 2026-05-26 (Update: 2026-05-26)