Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: crates-io (1 article)Clear

TrapDoor cross-ecosystem supply chain hits npm, PyPI, Crates.io with 34+ malicious packages; plants .cursorrules and CLAUDE.md to trick AI assistants

Socket has detailed TrapDoor, a coordinated cross-ecosystem supply-chain campaign that has published 34+ malicious packages across 384+ versions on npm, PyPI, and Crates.io since May 22. Targets are crypto, DeFi, Solana, and AI developers. The npm packages deploy trap-core.js, which scans for credentials, validates AWS and GitHub tokens via API, and persists via cron, systemd, Git hooks, shell rcfiles, and SSH; Rust crates use build.rs to trigger; Python packages auto-execute on import to fetch JavaScript from ddjidd564.github[.]io. Notable twist: the campaign also plants .cursorrules and CLAUDE.md in PRs to popular AI repos to trick AI coding assistants into running 'security scans' that exfiltrate secrets.

Check
Search npm, pip, and cargo install logs across CI/CD and developer machines for any of the 34+ TrapDoor packages. Check repos for unsolicited .cursorrules or CLAUDE.md additions in PRs.
Affected
Crypto, DeFi, Solana, and AI developers who install packages by name without lockfile pinning. Users of AI coding assistants (Cursor, Claude) that read .cursorrules or CLAUDE.md.
Fix
Pin via lockfiles. Block ddjidd564.github[.]io at egress. Audit .cursorrules and CLAUDE.md across repos. Configure AI coding assistants to require explicit confirmation before running arbitrary commands from project files.