TrapDoor Cross-Ecosystem Supply-Chain Attack - Credential Theft and AI Assistant Poisoning Across npm, PyPI and Crates.io

Beginning May 22, 2026, the TrapDoor campaign distributed credential-stealing malware across more than 34 packages and over 384 artifact versions spanning npm, PyPI, and Crates.io. There is no single CVE - TrapDoor is a cross-ecosystem supply-chain campaign tracked by name and by the specific package-and-version pairs it backdoored. What sets it apart from ordinary registry malware is deliberate AI-coding-assistant targeting: the shared npm payload plants poisoned agent-config files designed to manipulate downstream AI agents. This advisory covers what happened and how to inventory and govern the agents, CLIs, and config artifacts it abuses across your fleet.

What happened

TrapDoor impersonated development utilities aimed at the crypto, DeFi, Solana, and AI developer communities - environments where SSH keys, cloud credentials, GitHub tokens, and wallet keystores coexist on the same machine, so a single install can expose several classes of secret at once. The campaign spread across npm, PyPI, and Crates.io simultaneously, and each ecosystem used a tailored technique. On npm, packages use Fernet and ECDH encryption and validate stolen AWS and GitHub credentials via live API calls, filtering for keys that actually work before exfiltration. On PyPI, packages auto-execute on import, pull JavaScript from an attacker-controlled GitHub Pages domain, and run it with node -e, so behavior can change without publishing a new release. On Crates.io, Rust crates search for local keystores, XOR-encrypt the data with a hardcoded key, and exfiltrate it to GitHub Gists.

TrapDoor's distinguishing feature is its targeting of AI coding assistants. The shared npm payload plants .cursorrules and CLAUDE.md files containing hidden instructions encoded with zero-width Unicode characters - text invisible in most editors but read by an AI agent as project context, which can manipulate the agent into hostile actions such as credential exfiltration. Socket detected new TrapDoor releases in a median of 5 minutes 27 seconds (fastest 58 seconds), but pre-detection installs still occurred - fast detection narrows the window without closing it. Because no CVE maps to a fixed version, remediation is operational: scan repositories for unexpected .cursorrules and CLAUDE.md files and zero-width Unicode, and rotate developer and cloud secrets. It shares its supply-chain root cause with the sibling Shai-Hulud 2.0 npm worm advisory.

Why this is an agentic-endpoint risk

TrapDoor turns the AI artifact layer into the attack surface, not just the delivery channel. The poisoned .cursorrules and CLAUDE.md files are agent-config artifacts: an AI coding agent reads them for context and acts on the zero-width-encoded instructions they hide. The agent then runs inside the developer's environment with reach to the same SSH keys, cloud credentials, GitHub tokens, and wallet keystores TrapDoor hunts. AI agents, extensions, skills, and CLIs are part of the eight AI artifact types Anomity tracks per endpoint, and they are adopted bottom-up the same way AI agents became the new shadow IT.

This exposure is hard to see from the controls you already run, because it lives in the AI artifact layer. A poisoned CLAUDE.md looks like an ordinary project file to DLP and EDR, which do not classify agent-config artifacts or decode zero-width Unicode, and the exfiltration rides GitHub Pages, Gists, and AWS API calls that look like normal developer traffic. The question is not whether one package is patched - there is nothing to patch - it is which endpoints run AI agents and CLIs that read project config, which carry unexpected .cursorrules or CLAUDE.md files, and what those agents do with the secrets they can reach. That is precisely the boundary runtime governance is built to hold.

How Anomity surfaces and governs it

With no version to roll forward, the durable control is to inventory the agents, CLIs, and config artifacts on each endpoint and govern what those agents do with the secrets they can reach. Anomity does that in three steps.

First, inventory. Anomity inventories AI agents, MCP servers, extensions, skills, plugins, secrets, hooks, and CLIs on every managed endpoint as part of the eight AI artifact types it tracks, then classifies them. It surfaces poisoned agent-config artifacts - including unexpected .cursorrules and CLAUDE.md files - that traditional DLP and EDR do not classify, so you can find where TrapDoor planted instructions across developer machines. Anomity collects metadata only, and secrets such as SSH keys, cloud credentials, and GitHub tokens are redacted on the endpoint before anything leaves it, so a payload reading the live environment has less centralized plaintext to find. See the agentic governance guide for how this maps to policy.

Second, decide at the hook. On agents that expose a hook - for example, the Claude Code PreToolUse event - Anomity evaluates each tool call against your policy and returns allow, deny, or log before the call runs. An agent that has read a poisoned CLAUDE.md and is about to reach for a cloud token, push to a Gist, or run an unexpected install can be denied at the boundary - which is exactly what runtime governance provides when there is no patch to wait for and fast detection still leaves a pre-detection install window.

Third, keep the record. Anomity logs the tool calls and secret access an agent performs, so an agent acting on injected instructions or reaching a token is recorded against a queryable 90-day audit trail, and decisions route to SIEM, Slack, email, or Jira. When a campaign like TrapDoor lands, you can answer which endpoints ran the affected installs, which carried poisoned config files, and what those agents were allowed to touch - from a record, not a guess. Anomity is SOC 2 Type II and complements your Network, EDR, DLP, and GRC tooling; it covers the artifact layer those were never built to inventory. See the audit trail and how it works.

You can't govern what you can't see.The Anomity principle

What to check across your fleet

• Scan every repository and developer machine for unexpected .cursorrules and CLAUDE.md files, and check them for zero-width Unicode characters that hide instructions from human reviewers.
• Inventory every endpoint that runs AI coding agents and CLIs capable of npm, pip, or cargo installs, and confirm none pulled a TrapDoor package across the 34+ packages and 384+ versions on npm, PyPI, and Crates.io.
• Rotate all developer and cloud secrets reachable from exposed endpoints - SSH keys, AWS credentials, GitHub tokens, and wallet keystores - since TrapDoor validates AWS and GitHub credentials with live API calls before exfiltration.
• Treat any secret reachable by an agent that reads project config as exposed to untrusted input, because a poisoned CLAUDE.md or .cursorrules can steer the agent into exfiltration.
• Confirm install, network, and credential-reading commands triggered by an agent are evaluated at a hook with allow/deny/log, so action on injected instructions is stopped before it runs.
• Verify SSH keys, cloud credentials, and GitHub tokens are redacted on the endpoint and never centralized in plaintext, so a payload reading the live environment has nothing to capture.
• Verify every tool call and secret access is written to a 90-day audit trail and routed to your SIEM, so you can answer scope when the next cross-ecosystem campaign lands.
• Cross-reference this inventory against the sibling Shai-Hulud 2.0 npm worm advisory to find endpoints exposed to more than one registry attack path.

TrapDoor is a reminder that a cross-ecosystem package install can hand over developer and cloud secrets the moment a dependency is backdoored, and that the AI artifact layer - the .cursorrules and CLAUDE.md files your agents read - is now part of the attack surface, not just the delivery path. Scan for poisoned config files and zero-width Unicode, rotate the affected developer and cloud secrets, then inventory the agents and CLIs your endpoints run and govern the tool calls those agents make at the hook. For the full picture, see the pillar guide on AI supply-chain attacks. To see Anomity govern the agent layer across your fleet, request early access.