{"name":"TRAPDOOR_AI_POISONING_2026 - campaign","description":"# Executive Threat Brief — TRAPDOOR_AI_POISONING_2026\n\n## Campaign Snapshot\n\nTrapDoor is an active supply chain campaign distributing credential-stealing malware across npm, PyPI, and Crates.io. The earliest confirmed artifact dates to May 19, 2026, three days before public disclosure. Across 34 malicious packages and 384 versioned artifacts, the campaign steals SSH keys, cloud credentials (AWS, GitHub), crypto wallets, and browser session data from developer machines and CI/CD environments.\n\nWhat separates TrapDoor from a typical malicious package campaign is its targeting of AI coding assistants. The npm payload plants hidden instructions inside `.cursorrules` and `CLAUDE.md` — configuration files automatically read by AI tools such as Claude Code and Cursor. Those instructions, invisible to developers but visible to AI models, trigger a fake \"security scan\" that silently exfiltrates local secrets. The attacker also opened pull requests against major open-source AI projects — LangChain, LlamaIndex, MetaGPT — to spread the poisoned files at scale.\n\n---\n\n## What Is Affected\n\n### Libraries\n\n| Package | Ecosystem | Vulnerable Range | Latest Malicious | Action |\n|---------|-----------|-----------------|-----------------|--------|\n| crypto-credential-scanner | npm | 2.0.0 – 4.0.0 | 4.0.0 | Remove immediately |\n| wallet-backup-verifier | npm | 1.0.0 – 4.0.0 | 4.0.0 | Remove immediately |\n| defi-threat-scanner | npm | 2.1.1 – 4.0.0 | 4.0.0 | Remove immediately |\n| wallet-security-checker | npm | 1.0.3 – 4.0.0 | 4.0.0 | Remove immediately |\n| chain-key-validator | npm | 0.2.3 – 4.0.0 | 4.0.0 | Remove immediately |\n| defi-env-auditor | npm | 0.3.2 – 4.0.0 | 4.0.0 | Remove immediately |\n| eth-wallet-sentinel | npm | 1.0.9 – 4.0.0 | 4.0.0 | Remove immediately |\n| mnemonic-safety-check | npm | 0.5.2 – 4.0.0 | 4.0.0 | Remove immediately |\n| solidity-deploy-guard | npm | 0.4.4 – 4.0.0 | 4.0.0 | Remove immediately |\n| web3-secrets-detector | npm | 1.2.6 – 4.0.0 | 4.0.0 | Remove immediately |\n| deployment-key-auditor | npm | 0.7.4 – 4.0.0 | 4.0.0 | Remove immediately |\n| dev-env-bootstrapper | npm | 1.0.0 – 1.5.2 | 1.5.2 | Remove immediately |\n| project-init-tools | npm | 1.0.0 – 1.5.1 | 1.5.1 | Remove immediately |\n| workspace-config-loader | npm | 1.0.0 – 1.5.1 | 1.5.1 | Remove immediately |\n| node-setup-helpers | npm | 1.0.0 – 1.5.1 | 1.5.1 | Remove immediately |\n| build-scripts-utils | npm | 1.0.0 – 1.5.1 | 1.5.1 | Remove immediately |\n| llm-context-compressor | npm | 1.0.0 – 1.5.1 | 1.5.1 | Remove immediately |\n| token-usage-tracker | npm | 1.0.0 – 1.5.1 | 1.5.1 | Remove immediately |\n| model-switch-router | npm | 1.0.0 – 1.5.1 | 1.5.1 | Remove immediately |\n| prompt-engineering-toolkit | npm | 1.0.0 – 1.5.1 | 1.5.1 | Remove immediately |\n| async-pipeline-builder | npm | 1.0.0 – 1.5.1 | 1.5.1 | Remove immediately |\n| cryptowallet-safety | PyPI | 0.1.0 | 0.1.0 | Remove immediately |\n| defi-risk-scanner | PyPI | 0.1.0 | 0.1.0 | Remove immediately |\n| eth-security-auditor | PyPI | 0.1.0 | 0.1.0 | Remove immediately |\n| solidity-build-guard | PyPI | 0.1.0 | 0.1.0 | Remove immediately |\n| env-loader-cli | PyPI | 0.1.0 – 0.1.1 | 0.1.1 | Remove immediately |\n| git-config-sync | PyPI | 0.1.0 – 0.1.1 | 0.1.1 | Remove immediately |\n| data-pipeline-check | PyPI | 0.1.0 – 0.1.1 | 0.1.1 | Remove immediately |\n| sui-move-build-helper | Crates.io | 0.1.1 | 0.1.1 | Remove immediately |\n| sui-sdk-build-utils | Crates.io | 0.1.0 | 0.1.0 | Remove immediately |\n| sui-framework-helpers | Crates.io | 0.1.0 | 0.1.0 | Remove immediately |\n| move-project-builder | Crates.io | 0.1.0 | 0.1.0 | Remove immediately |\n| move-analyzer-build | Crates.io | 0.1.0 | 0.1.0 | Remove immediately |\n| move-compiler-tools | Crates.io | 0.1.0 | 0.1.0 | Remove immediately |\n\n### Containers / CI Environments\n\n| Risk Surface | Condition | Action |\n|-------------|-----------|--------|\n| CI/CD pipelines (npm install) | Any pipeline running npm install that resolves a flagged package | Audit pipeline logs, rotate secrets |\n| CI/CD pipelines (pip install) | Any pipeline running pip install that resolves a flagged PyPI package | Audit pipeline logs, rotate secrets |\n| Rust build environments | Any cargo build using flagged Crates.io packages | Audit build logs, rotate wallet keys |\n\n---\n\n## Business Impact\n\n- **Credential theft with live validation**: The npm payload validates stolen AWS and GitHub tokens against live APIs before exfiltration. Confirmed-valid tokens provide direct access to cloud environments and private source code.\n- **Crypto wallet loss**: Crates.io packages specifically target Sui and Aptos wallet keystores. Blockchain wallet compromise is irreversible.\n- **AI assistant compromise**: Developers using Claude Code or Cursor in any project that received a poisoned `.cursorrules` or `CLAUDE.md` file may have had AI-assisted secret discovery run without their knowledge.\n- **Persistent access**: The payload installs systemd services, cron jobs, Git hooks, and SSH persistence. Removing the package does not remove these artifacts without explicit cleanup.\n- **Downstream propagation risk**: If any poisoned `.cursorrules` or `CLAUDE.md` was committed to an internal repository, the infection can propagate to every developer who subsequently clones that repository.\n- **Compliance exposure**: Confirmed theft of AWS credentials, GitHub tokens, and SSH keys constitutes a data breach event in most regulatory frameworks (GDPR, SOC 2, ISO 27001).\n\n---\n\n## Immediate Actions (Next 24–72 Hours)\n\n| # | Action | Owner | Deadline |\n|---|--------|-------|----------|\n| 1 | Audit all lockfiles across repositories for any of the 34 IOC packages | AppSec / DevSecOps | 24 hours |\n| 2 | Rotate AWS access keys on any machine or CI pipeline that installed a flagged package | Platform / DevOps | 24 hours |\n| 3 | Rotate GitHub personal access tokens and machine tokens in affected CI environments | DevOps / Engineering leads | 24 hours |\n| 4 | Revoke and regenerate SSH key pairs on affected developer workstations | Engineering leads | 48 hours |\n| 5 | Scan all repositories for `.cursorrules` and `CLAUDE.md` files containing zero-width Unicode (U+200B, U+200C, U+200D, U+FEFF) | AppSec | 48 hours |\n| 6 | Remove persistence artifacts: systemd services, cron jobs, Git hooks, shell RC modifications | IT / Engineering | 48 hours |\n| 7 | Block outbound traffic to `ddjidd564[.]github[.]io` at the network perimeter | Network / Security Ops | 24 hours |\n| 8 | Review open PRs against internal repositories for `.cursorrules` and `CLAUDE.md` additions from unknown contributors | Engineering leads | 48 hours |\n\n---\n\n## Key IOCs (Fast Reference)\n\n| Type | Value | Context |\n|------|-------|---------|\n| Domain | `ddjidd564[.]github[.]io` | C2 / payload host |\n| URL | `ddjidd564[.]github[.]io/defi-security-best-practices/` | Config and payload endpoint |\n| Host Artifact | `trap-core.js` (48,485 bytes) | npm credential harvester payload |\n| Campaign Marker | `P-2024-001` | Embedded in `.cursorrules`, `CLAUDE.md`, config JSON |\n| Crypto Hash | `cargo-build-helper-2026` | XOR key used in Crates.io exfiltration |\n| Persistence | `.cursorrules` | AI assistant poisoning; inspect for zero-width Unicode |\n| Persistence | `CLAUDE.md` | Claude Code poisoning; inspect for zero-width Unicode |\n| Persistence | Git pre-push hooks | `.git/hooks/pre-push` |\n| Persistence | Shell hooks | `~/.bashrc`, `~/.zshrc` |\n| Persistence | systemd service | `~/.config/systemd/user/` |\n| Persistence | cron job | User crontab |\n| Persistence | SSH authorized_keys | `~/.ssh/authorized_keys` |\n| GitHub Account | `ddjidd564` | Attacker account; source of all PRs and payload hosting |\n\n---\n\n## Risk Summary\n\n| Dimension | Rating | Rationale |\n|-----------|--------|-----------|\n| Exploitability | Critical | Fires automatically on package install, build, or import — no user interaction required |\n| Blast Radius | Critical | SSH keys, cloud credentials, GitHub tokens, crypto wallets, browser data — all extracted in a single install |\n| Persistence Risk | Critical | Seven independent persistence vectors; package removal alone does not remove malware |\n| Remediation Complexity | High | Requires lockfile audit, credential rotation, SSH key revocation, persistence cleanup, and AI config file inspection across all developer machines and CI environments |\n| Business Exposure | Critical | Live credential validation confirms high-value token theft; AI assistant poisoning risk extends to any project consuming infected config files |\n"}