TrapDoor is not a normal CVE-driven vulnerability story. It is an active software supply-chain campaign in which malicious packages for npm, PyPI and Crates.io steal developer secrets and try to poison AI coding assistant context through CLAUDE.md and .cursorrules. Public reporting puts the campaign at more than 34 malicious packages and 384 versions, with confirmed artifacts dating back to May 19, 2026 [1].
The practical risk is direct: one installed package can run during npm install, Python import, or cargo build, then look for SSH keys, GitHub tokens, AWS credentials, environment variables, browser data, and crypto wallet keystores. If that happened on a developer workstation or CI runner, treat the environment as potentially compromised until secrets are rotated and persistence is checked.
What Makes TrapDoor Different
Most malicious package campaigns stop at install-time theft. TrapDoor adds a newer developer-environment angle: the payload can create or alter CLAUDE.md and .cursorrules files, hiding instructions with zero-width Unicode characters [2]. A text editor may show a blank or harmless-looking file, while an AI coding assistant parses the full Unicode stream as project context.
That makes the campaign relevant beyond crypto developers. Any team using Cursor, Claude Code, or similar AI-assisted tools in repositories with external pull requests, fork-based review, or fast dependency testing should check whether these files appeared unexpectedly.
Who Should Check Now
| Environment | What to review | Why it matters |
|---|---|---|
| npm projects | package.json, lockfiles, install logs |
The npm payload can run through postinstall and search local or runner secrets. |
| Python projects | requirements.txt, lockfiles, import paths |
Reported PyPI packages can execute remote JavaScript through node -e. |
| Rust/Sui/Move tooling | Cargo.toml, Cargo.lock, build.rs |
Crates.io packages can run during build and target wallet keystores. |
| AI-assisted development | CLAUDE.md, .cursorrules, PR branches |
Hidden Unicode instructions can enter the assistant context without visible text. |
Response Steps
- Compare dependency files with the IOC package lists. Check package names and versions from Phoenix/CSA/THN reporting, especially crypto, DeFi, Solana, Sui, Move and AI tooling dependencies.
- Search for zero-width Unicode. Inspect
CLAUDE.mdand.cursorrulesforU+200B,U+200C,U+200DandU+FEFF. Do not rely on visual review alone. - Question unexpected AI config files. If a file appeared after dependency install/build/import or arrived through a third-party pull request, remove it and review git history.
- Rotate secrets after execution. If a flagged package ran, rotate GitHub personal access tokens, SSH key pairs, cloud access keys, API keys, registry tokens, and wallet-related secrets. Lack of obvious exfiltration logs is not proof that keys were safe.
- Scan the workstation for persistence. If the package executed locally, run a full system check after removing dependencies. On Windows developer machines, Gridinsoft Anti-Malware can provide a second-opinion malware scan after the dependency cleanup.
- Review CI logs. Look for AWS STS calls, GitHub API calls, outbound traffic to attacker-controlled GitHub Pages/Gists, and script execution from install or build steps.
Why CVE Scanners May Miss It
TrapDoor is not a vulnerable version of a legitimate package. The package itself is malicious. CVSS and CVE-only workflows can therefore return no findings while a lockfile still contains a malicious dependency. This is where malicious-package intelligence, dependency allowlisting, install-script controls, and behavioral package review matter more than ordinary vulnerability scoring.
Reducing Repeat Exposure
- Disable install scripts in CI where testing proves it is safe. For npm,
npm config set ignore-scripts truecan help, but it can also break legitimate packages. - Treat
CLAUDE.md,.cursorrules, and equivalent AI context files as code-review assets, not harmless documentation. - Avoid checking out unknown pull request branches in environments that hold real tokens, wallet files, or cloud credentials.
- Move long-lived cloud keys, package registry tokens, and wallet secrets away from ordinary developer workstations wherever possible.
Related repository risk: teams using self-hosted Git should also check the Gogs RCE zero-day mitigation steps, especially open registration and repository creation controls.
FAQ
Does TrapDoor have a CVE?
No. It is a malicious-package campaign, not a single patched vulnerability. Detection depends on IOC package matching, lockfile review, and install/build behavior checks.
Is uninstalling the package enough?
No, not if the package already executed. Rotate exposed secrets, inspect AI config files, and check persistence artifacts on the machine or runner.
Why are CLAUDE.md and .cursorrules important?
AI coding tools can treat these files as trusted project instructions. Hidden Unicode content can make instructions invisible to a human reviewer while still readable to the assistant.
References
- Phoenix Security Research. “TrapDoor Supply Chain Campaign: Cross-Ecosystem Credential Theft and AI Assistant Poisoning via npm, PyPI, and Crates.io.” Phoenix Security, May 2026, accessed May 27, 2026. https://phoenix.security/trapdoor-supply-chain-ai-poisoning-npm-pypi-crates/
- Cloud Security Alliance. “TrapDoor: Supply Chain Attack Poisons AI Coding Assistants.” CSA Lab Space, May 2026, accessed May 27, 2026. https://labs.cloudsecurityalliance.org/research/csa-research-note-trapdoor-multi-ecosystem-supply-chain-ai-t/
- The Hacker News Staff. “TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO.” The Hacker News, May 25, 2026, accessed May 27, 2026. https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html
