A PyPI package called eth-security-auditor went live on May 22 at 8:20 PM UTC. By Monday, Socket had identified 34 malicious packages across 384 versions on npm, PyPI, and Crates.io, and pull requests to LangChain and browser-use. The novel weapon wasn't a postinstall script. It was an invisible instruction aimed at Claude and Cursor.

The first package landed on PyPI at 20:20:18 UTC on Friday night. It was called eth-security-auditor, version 0.1.0, and it looked like exactly what its name suggested: a security scanner for Ethereum contracts. A developer auditing a DeFi project, scrolling for the right tool, would have no reason to pause.

Socket's automated scanners flagged it 58 seconds later.

What they found, when they pulled the package apart, was the opening move of one of the most carefully engineered supply chain campaigns of 2026. Over the following 72 hours, Socket traced the same threat actor across three ecosystems. The campaign, which Socket dubbed TrapDoor, ultimately spanned 34 malicious packages and more than 384 versions across npm, PyPI, and Crates.io. The malware harvested SSH keys, AWS credentials, GitHub tokens, browser login databases, and crypto wallet keystores for Solana, Sui, and Aptos chains.

But the part that has security researchers genuinely worried is not the credential theft. It is the malware's second target: the AI coding assistant sitting in the developer's editor.

The Attack That Tried to Recruit Claude and Cursor

When a malicious package lands in a developer's node_modules, it has a brief window to act before something blocks it. Most credential stealers race to grab what they can on first install. TrapDoor does that. Then it does something unusual. It edits two files that have become standard furniture in every AI-augmented repository.

The first is .cursorrules, the project-level instruction file Cursor reads before responding to anything. The second is CLAUDE.md, the project memory file Claude Code reads to understand what a codebase is for.

Both files exist for the same reason. They tell the AI: "This is the context. Follow these rules." They are read on every interaction. They are trusted by the assistant the way a junior engineer trusts a written runbook.

Into both files, TrapDoor injects hidden instructions written in zero-width Unicode characters, codepoints like U+200B and U+200C that occupy no visible space on the page but still flow into a language model's tokenizer the same as any other letter. A developer reviewing CLAUDE.md sees nothing changed. The AI reads instructions that were never visibly there.

According to Socket's analysis published Monday, the hidden instructions ask the assistant to run a "security scan" that quietly performs secret discovery and exfiltration. As Socket explained the attack pipeline:

"Several npm packages also deploy a shared payload, trap-core.js, that scans for credentials, validates AWS and GitHub tokens, attempts SSH-based lateral movement, and plants persistence through .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH." — Socket Threat Research Team (May 25, 2026)

How One PyPI Upload Became a 34-Package Campaign

The TrapDoor packages were not uploaded all at once. Socket's telemetry shows them arriving in coordinated waves from a cluster of accounts, each wave a different ecosystem. PyPI first. npm second. Crates.io third. Then a second pass with new names and new accounts to replace what got removed.

The execution paths reflect careful homework on each registry's quirks.

Ecosystem	Execution Trigger	Payload Mechanism
npm	`postinstall` hook	`trap-core.js`, a 1,149-line credential harvester
PyPI	Import-time execution	Python wrapper fetches `node -e` payload from GitHub Pages
Crates.io	`build.rs` script	XOR-encrypted payload, hardcoded key `cargo-build-helper-2026`

The shared trap-core.js payload is the heart of the campaign. It scans the developer's machine for SSH keys, AWS access tokens, GitHub credentials, browser session cookies, and crypto wallet files. It validates the stolen AWS and GitHub tokens by making live API calls against each cloud provider, throwing away anything already revoked. Then it digs in: persistence is installed through systemd units, cron jobs, Git hooks, shell hooks, and SSH authorized_keys modifications.

The Python packages take a different route. They are designed to auto-execute at import time and to fetch their real payload from a remote GitHub Pages domain controlled by the attacker, ddjidd564.github[.]io, before running it with node -e. Socket explained the reasoning:

"This technique allows the Python package to delegate execution to a remote JavaScript payload, giving the attacker more flexibility after publication. By hosting the payload externally, the attacker can update behavior without publishing a new PyPI release." — Socket Threat Research Team (May 25, 2026)

The package names were chosen to look exactly like what a target audience would search for. The crypto and DeFi developers got eth-security-auditor, defi-risk-scanner, wallet-backup-verifier, mnemonic-safety-check. The Sui and Move developers got move-analyzer-build, sui-framework-helpers, sui-move-build-helper. The AI developers, the newest target population, got llm-context-compressor, model-switch-router, and prompt-engineering-toolkit.

The Detection Race Socket Won, Just Barely

Across 381 package-version records with complete timestamps, Socket logged a median detection time of 5 minutes and 27 seconds between an upload and a malicious classification. The fastest was 58 seconds. The average sat at 5 minutes and 56 seconds.

That window is the entire game in modern supply chain defense. A package needs to live long enough for npm install or pip install somewhere in the world to pull it in. Socket's argument, baked into its detection pipeline, is that under six minutes is short enough to keep adoption near zero. For most of the TrapDoor packages, that appears to have worked. Reported download counts for the malicious versions sit in the low thousands at most.

But "most" is the operative word. The mini Shai-Hulud npm worm earlier this month closed in about 20 minutes and still poisoned 317 packages, and PyTorch Lightning's 42-minute window in late April still required credential rotation at affected teams. A six-minute median is better. It is not zero.

The Open-Source Pull Requests That Targeted LangChain

What sets TrapDoor apart is what the attacker did beyond the registries. According to The Hacker News reporting on Socket's findings, the same threat actor opened pull requests to popular AI and developer projects, including browser-use/browser-use, langchain-ai/langchain, and langflow-ai/langflow. Each PR proposed adding what looked like normal project documentation. Each PR contained zero-width Unicode characters embedded inside the proposed file.

Socket's read of the activity is direct. The threat actor is testing whether AI-related project files can be introduced through the regular open-source contribution workflow, so that any developer or AI tool that later reads those files will quietly act on the hidden instructions.

That is a fundamental shift in the threat model. For two years, supply chain attacks have been about getting code onto a developer's machine. With TrapDoor, the attacker is also trying to get hidden text into the AI's context, where it never has to be run as code at all. The assistant runs it.

How TrapDoor Compares to the Worst of 2026 So Far

Incident	Date	Packages	AI Targeting	Window Open
PyTorch Lightning	Late April	1	No	42 minutes
Mini Shai-Hulud (npm worm)	May 19	317	No	~20 minutes
TrapDoor	May 22 to 26	34 (384 versions)	Yes (.cursorrules, CLAUDE.md, PRs to LangChain)	~6 min median

TrapDoor is not the largest by package count. The npm worm that ripped through 317 packages on May 19 still holds that title for the year. But TrapDoor is the first widely-reported supply chain campaign that deliberately weaponizes the AI coding assistant rather than treating it as a bystander. The mini Shai-Hulud worm tried to spread sideways through other maintainers. TrapDoor tries to spread sideways through Claude.

The Counterargument: This Is Old Trickery in New Clothes

Not every researcher sees TrapDoor as a category shift. Zero-width Unicode obfuscation is a technique that predates large language models by decades. It was first used to smuggle commands into terminal emulators in the 1990s and has been a recurring topic in homoglyph and bidi-spoofing research ever since. The novelty here is the target, not the trick.

The base credential-theft mechanism also works without any AI involvement. A developer running npm install on a TrapDoor-laced project loses their AWS keys and SSH keys regardless of whether they use Cursor, Notepad, or vi. The AI-targeting layer increases blast radius for the specific case where the assistant later interacts with a repository the attacker is in. It does not create the initial breach.

Defenders also have a real point about response speed. Socket flagged the first package in under a minute, GitHub and PyPI surfaced takedowns within hours, and the per-version download counts stayed small. The six-minute median is short enough that, for most developers, the campaign was effectively invisible. None of that erases the AI angle. It does put it in proportion.

The Immediate Steps for Engineering Teams

For any team using AI coding assistants on projects that pull from npm, PyPI, or Crates.io, the response from Socket and the wider security community converges on the same checklist.

Audit .cursorrules and CLAUDE.md for zero-width Unicode. The Python snippet print(repr(open('CLAUDE.md').read())) will surface invisible characters. Anything outside expected ASCII and printable Unicode in those files should be removed.
Rotate AWS, GitHub, npm, and crypto wallet credentials on any machine where the listed TrapDoor packages were installed since May 22. Socket maintains a live indicator-of-compromise list on its supply-chain-attacks page, including the full set of malicious package names across the three ecosystems.
Check ~/.ssh/authorized_keys, crontab -l, and systemctl list-unit-files for persistence entries planted by trap-core.js.
Restrict postinstall execution in CI using npm ci --ignore-scripts for sensitive runs, and pair it with similar guards for pip install and cargo build.
Treat .cursorrules and CLAUDE.md as security-relevant configuration, not documentation. Any change should pass the same review that a permission change to a CI workflow file would.

For broader context on the supply chain attacks LDS has covered this spring, see the npm worm that poisoned 317 packages on May 19, the PyTorch Lightning compromise that closed in 42 minutes, and the LiteLLM backdoor that handed attackers 95 million monthly downloads.

The Bottom Line

TrapDoor is the moment the AI coding assistant became part of the attack surface. For years, supply chain attacks have been about getting code onto a developer's machine. TrapDoor is about getting instructions into an AI's context that the developer cannot see and the AI cannot distinguish from legitimate guidance. The pull requests to LangChain and browser-use make the intent explicit: this is not a one-off. The attacker is probing how far hidden text can travel through the open-source workflow.

The technical countermeasures are not exotic. Pin dependencies. Audit instruction files. Rotate credentials on suspicion. What is new is the question of who reads what. A CLAUDE.md file is now a security boundary. The next time a security audit covers a repository, that file belongs on the same list as .github/workflows/release.yml and Dockerfile.

As Socket described the broader pattern on Monday: "TrapDoor shows how attackers are combining traditional package typosquatting with newer developer-environment attack paths."

What an AI reads is now a credential.

Sources

TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages (Socket Threat Research, May 25, 2026)
TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO (The Hacker News, May 25, 2026)
TrapDoor Supply Chain Campaign: Cross-Ecosystem Credential Theft and AI Assistant Poisoning (Phoenix Security, May 25, 2026)
Hackers Compromised 34 Packages in npm, PyPI, and Crates in New Supply Chain Attack (Cybersecurity News, May 25, 2026)
TrapDoor: Malicious npm, PyPI, Crates.io Packages Target Developer Secrets & AI Tooling (SOCRadar, May 25, 2026)
TrapDoor Supply Chain Attack Actively Exploiting npm, PyPI, and CratesIO (Rescana, May 25, 2026)
TrapDoor Malware Hits npm, PyPI & Crates.io, Steals Crypto Wallets & SSH Keys (Crypto Times, May 25, 2026)

Practice interview problems based on real data

1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.

Try 250 free problems

Free Career Roadmaps8 PATHS

Step-by-step roadmaps from zero to job-ready — curated courses, salary data, and the exact learning order that gets you hired.

Explore all career paths

Recommended Reading

Curated articles related to this topic

News

10 min

Last Summer, Anthropic Promised Investors No Profits Until 2028. Q2 Numbers Are Tracking $559 Million.

Anthropic is on track for its first quarterly operating profit ever, projecting 10.9 billion dollars in Q2 revenue and 559 million in operating profit. Compute cost per revenue dollar fell from 71 cents to 56 cents in one quarter, a sharp reversal from the company's August 2025 guidance of no profits until 2028.

May 26, 2026

News

11 min

A Trusted VS Code Extension Was Poisoned for 18 Minutes. It Breached GitHub Itself.

A backdoored Nx Console extension was live on the Visual Studio Marketplace for just 18 minutes on May 18, but it was enough for the group TeamPCP to steal credentials at GitHub, OpenAI, Grafana Labs, and Mistral AI and exfiltrate roughly 3,800 of GitHub's internal repositories.

May 25, 2026

News

8 min

Anthropic's Co-Founder Just Put 60% Odds on AI Building Its Own Successor by 2028

At Oxford on May 20, Anthropic co-founder Jack Clark predicted AI would help win a Nobel Prize within 12 months and gave 60%-plus odds that an AI model could fully train its own successor by the end of 2028. He also repeated that the technology carries a non-zero chance of catastrophe.

May 25, 2026

News

7 min

OpenAI Is Filing for a $1 Trillion IPO. Its Own CFO Warned It Wasn't Ready

OpenAI is preparing to confidentially file a draft IPO prospectus with the SEC as soon as Friday, May 22, 2026, with Goldman Sachs and Morgan Stanley steering a public debut targeted for September at a valuation that could top $1 trillion. The move follows October 2025's conversion to a Public Benefit Corporation and February's record $122 billion round at an $852 billion valuation. CFO Sarah Friar has reportedly pushed back on the aggressive timeline, citing roughly $600 billion in five-year compute commitments against an annualized revenue run rate near $25 billion.

May 22, 2026

News

8 min

Anthropic Will Pay Musk $1.25 Billion a Month for a Supercomputer He Couldn't Fill

On May 20, 2026, SpaceX's S-1 filing disclosed that Anthropic will pay about $1.25 billion a month, more than $40 billion over three years, to rent the full 300-megawatt output of xAI's Colossus 1 data center near Memphis. The filing also revealed xAI lost $6.4 billion from operations in 2025 on $3.2 billion in revenue, and that Grok's daily active users fell from 13.9 million to 12.2 million between March and April. The deal is a textbook neocloud move: building AI infrastructure, then renting the idle capacity to a rival.

May 22, 2026

News

7 min

OpenAI's Last Math Claim Was an Embarrassment. This Time, the Skeptics Checked the Proof.

On May 20, 2026, OpenAI said a general-purpose reasoning model produced an original proof disproving Paul Erdős's planar unit distance conjecture, open since 1946. The model reached into algebraic number theory to find an infinite family of point arrangements beating the square grid. Unlike OpenAI's debunked October claim, this result was reviewed by mathematicians including Fields Medalist Tim Gowers and Thomas Bloom, the skeptic who exposed the earlier mistake.

May 21, 2026

News

9 min

Trump Spent Weeks Drafting an AI Order. Thursday, He Scrapped It at the Last Minute.

President Trump scrapped the signing of a landmark AI executive order on May 21, 2026, telling reporters he did not want to blunt America's lead over China. The order, in development for weeks after Anthropic's Mythos model autonomously found thousands of cyber vulnerabilities, would have created a voluntary framework for labs to share frontier models with the government 90 days before release. Even that compromise proved too much for an administration torn between China competition and AI safety.

May 21, 2026

News

7 min

Google's Flash Model Just Beat Its Own Flagship. The Real Target Is Your Agents.

Google launched Gemini 3.5 Flash at I/O 2026, a fast, cheap model that outperforms its flagship Gemini 3.1 Pro on nearly every benchmark. The release, paired with Antigravity 2.0 and Managed Agents in the Gemini API, marks Google's strategic shift from conversational AI to autonomous agents.

May 20, 2026

News

6 min

A Jury Took Less Than Two Hours to End Elon Musk's War on OpenAI

A nine-person jury in Oakland dismissed Elon Musk's lawsuit against Sam Altman, OpenAI, and Microsoft in under two hours, ruling his claims fell outside the three-year statute of limitations. The court never addressed the merits. Musk plans to appeal, but the verdict clears the largest legal threat to OpenAI's for-profit conversion.

May 20, 2026

News

11 min

The npm Worm That Just Poisoned 317 More Packages in 20 Minutes

A self-replicating npm worm called Mini Shai-Hulud, run by the threat actor group TeamPCP, hit a new wave on May 19, 2026, hijacking the atool maintainer account and pushing 637 malicious versions across 317 packages. The same worm previously breached TanStack, Mistral AI, Guardrails AI, and two OpenAI corporate devices on May 11.

May 19, 2026