TrapDoor cross-ecosystem supply chain hits npm, PyPI, Crates.io with 34+ malicious packages; plants .cursorrules and CLAUDE.md to trick AI assistants
Socket has detailed TrapDoor, a coordinated cross-ecosystem supply-chain campaign that has published 34+ malicious packages across 384+ versions on npm, PyPI, and Crates.io since May 22. Targets are crypto, DeFi, Solana, and AI developers. The npm packages deploy trap-core.js, which scans for credentials, validates AWS and GitHub tokens via API, and persists via cron, systemd, Git hooks, shell rcfiles, and SSH; Rust crates use build.rs to trigger; Python packages auto-execute on import to fetch JavaScript from ddjidd564.github[.]io. Notable twist: the campaign also plants .cursorrules and CLAUDE.md in PRs to popular AI repos to trick AI coding assistants into running 'security scans' that exfiltrate secrets.
- Check
- Search npm, pip, and cargo install logs across CI/CD and developer machines for any of the 34+ TrapDoor packages. Check repos for unsolicited .cursorrules or CLAUDE.md additions in PRs.
- Affected
- Crypto, DeFi, Solana, and AI developers who install packages by name without lockfile pinning. Users of AI coding assistants (Cursor, Claude) that read .cursorrules or CLAUDE.md.
- Fix
- Pin via lockfiles. Block ddjidd564.github[.]io at egress. Audit .cursorrules and CLAUDE.md across repos. Configure AI coding assistants to require explicit confirmation before running arbitrary commands from project files.