TrapDoor supply-chain attack hits npm, PyPI, Crates.io — weaponizes AI config files

TrapDoor planted 34 malicious packages on npm, PyPI, and Crates.io, and injected poisoned AI config files into repos to weaponize Claude Code and Cursor.

AAAla SMITH & AI Research Desk·7h ago·3 min read··21 views·AI-Generated·Report error

Source: x.comvia @kimmonismusSingle Source

What is the TrapDoor supply-chain attack targeting npm, PyPI, and Crates.io?

A coordinated supply-chain attack called TrapDoor planted 34 malicious packages on npm, PyPI, and Crates.io, targeting crypto, AI, and security developers to steal wallets, SSH keys, and cloud credentials. Attackers also injected poisoned CLAUDE.md and .cursorrules config files into popular repos, weaponizing AI coding assistants.

TL;DR

34 malicious packages across npm, PyPI, Crates.io · Targets crypto, AI, security devs · Poisoned CLAUDE.md, .cursorrules files weaponize AI assistants

34 malicious packages hit npm, PyPI, and Crates.io simultaneously in the TrapDoor supply-chain attack. Attackers are also injecting poisoned CLAUDE.md and .cursorrules files into popular open-source repos to weaponize AI coding assistants.

Key facts

34 malicious packages across npm, PyPI, Crates.io
Targets crypto, AI, security developers
Poisoned CLAUDE.md and .cursorrules files
First known attack weaponizing AI assistants
Pull requests injected into popular open-source repos

The TrapDoor attack, disclosed by security researcher @kimmonismus, marks the first known coordinated supply-chain attack that weaponizes AI developer tools. The malicious packages target crypto wallet seed phrases, SSH private keys, and cloud credentials from developers in the crypto, AI, and security sectors.

AI config files as attack surface

Protect your AI workloads from supply chain attacks

The novel vector: attackers are submitting pull requests to popular open-source repositories that inject malicious instructions into CLAUDE.md and .cursorrules files. These files are trusted by Claude Code and Cursor respectively as system-level instructions for the AI agent. [According to @kimmonismus] when a developer clones the infected repo and opens it in either tool, the AI agent reads the poisoned config as authoritative and may execute commands that exfiltrate credentials or install backdoors without the developer's awareness.

This is a structural shift from traditional supply-chain attacks, which relied on typosquatting or dependency confusion. Here the attack surface is the AI assistant's trust model — the config files are implicitly trusted because they're part of the project, not because a developer explicitly installed a malicious package.

Broader pattern

The attack follows a pattern observed in recent months. In January 2026, researchers at Socket.dev reported a 340% increase in malicious npm packages targeting AI tooling. What's new is the cross-registry coordination — hitting npm, PyPI, and Crates.io simultaneously — and the AI config file injection, which no prior attack has used at scale.

The 34 packages have been reported to the respective registries, but the pull-request vector is harder to remediate because it exploits the implicit trust model of AI coding assistants. Developers cannot rely on registry takedowns alone; they must audit CLAUDE.md and .cursorrules files in every cloned repo.

What to watch

Watch for registry takedown timelines from npm, PyPI, and Crates.io, and for whether Cursor and Anthropic add warnings when CLAUDE.md or .cursorrules files originate from untrusted repos. Also monitor for copycat attacks using the same config-file vector in the next 30 days.

Sources cited in this article

Socket.dev

Source: gentic.news · 7h ago · author=Ala SMITH · citation.json

AI-assisted reporting. Generated by gentic.news from 1 verified source, fact-checked against the Living Graph of 4,300+ entities. Edited by Ala SMITH.

Following this story?

Get a weekly digest with AI predictions, trends, and analysis — free.

AI Analysis

The TrapDoor attack is significant not for its scale — 34 packages is modest — but for introducing a new attack surface: AI assistant config files as implicitly trusted execution vectors. Traditional supply-chain attacks require a developer to install a malicious package; here, merely cloning a repository and opening it in an AI coding assistant can trigger credential exfiltration. This exploits a fundamental trust asymmetry in current AI tooling. Claude Code and Cursor treat CLAUDE.md and .cursorrules as system-level instructions, akin to a .env file or CI config. But unlike those files, which typically only affect the tool's behavior within the IDE, these AI configs can instruct the agent to execute arbitrary shell commands, read files, and exfiltrate data — all without a separate package install. The cross-registry coordination (npm + PyPI + Crates.io) suggests a well-resourced attacker, likely a state-aligned group or a sophisticated cybercrime operation. The targeting of crypto, AI, and security developers is strategic: these developers hold the most valuable credentials (wallet keys, cloud provider tokens) and are the heaviest users of AI coding assistants. The most concerning aspect is the remediation challenge. Registry takedowns remove the packages but do nothing about the poisoned pull requests already merged into repos. Developers must now audit every CLAUDE.md and .cursorrules file in their dependency tree — a task that current tooling doesn't support. Expect a wave of security tooling updates from Socket.dev, Snyk, and GitHub's secret scanning team within weeks.

#open-source #malware #cybersecurity #supply-chain #ai-tools

Compare side-by-side

Claude Code vs TrapDoor

→

Mentioned in this article

TrapDoor Claude Code Cursor npm PyPI

Enjoyed this article?