Executive Summary
TrapDoor is an active cross-ecosystem supply chain campaign distributing credential-stealing malware across npm, PyPI, and Crates.io. Analysis of confirmed artifacts places the campaign’s actual start date at May 19, 2026 — three days earlier than the first widely reported date — with 384 artifact versions spread across 34 malicious packages. The packages impersonate development utilities targeting crypto, DeFi, Solana, and AI developer communities: environments where SSH keys, cloud credentials, GitHub tokens, and crypto wallet keystores routinely coexist on the same machine.
What distinguishes TrapDoor from the typical malicious package is its deliberate targeting of AI coding assistants. The shared npm payload, trap-core.js (48,485 bytes), plants .cursorrules and CLAUDE.md files containing hidden instructions embedded with zero-width Unicode characters. Those files are parsed by tools like Claude Code and Cursor to provide project-specific context. An attacker can place instructions in the path of a developer’s AI assistant without the developer ever reading them. When the assistant acts on those instructions, it runs a fake ‘security scan’ that silently exfiltrates local secrets.
This campaign carries no CVE. Traditional package scanners searching for known-vulnerable versions return zero findings across all 34 packages. The threat is the code inside the packages. For teams relying on CVSS-based prioritization alone, TrapDoor is invisible. Detection requires behavioral IOC matching against SBOM data — the gap Phoenix Security’s threat-centric ASPM was built to close.
TL;DR for Engineering Teams
| Label | Detail |
| What it is | Active supply chain campaign (no CVE) distributing a multi-stage credential harvester across npm, PyPI, and Crates.io. Tracked as TrapDoor by Socket Security. |
| Where it bites | npm (21 packages, 335 versions), PyPI (7 packages, 10 versions), Crates.io (6 packages, 6 versions). Targets crypto, DeFi, Solana, and AI developer environments. Earliest artifact: May 19, 2026. |
| Why it matters | 34 malicious packages, 384 versions, active exfiltration of SSH keys, AWS credentials, GitHub tokens, browser profiles, and crypto wallets. Novel AI injection via .cursorrules and CLAUDE.md (hidden zero-width Unicode). Attacker opened real PRs to LangChain, LlamaIndex, MetaGPT. Zero CVE — standard scanners blind to this campaign. |
| Patch status | No vendor patch. Malicious packages must be identified and removed. Some pulled from registries; others were live at time of analysis. |
| Immediate action | Audit lockfiles against all 34 IOC packages (full versioned list below). Inspect .cursorrules and CLAUDE.md files for zero-width Unicode. Rotate all credentials on any machine that installed flagged packages. |
Campaign Overview
| Field | Value |
| Campaign Name | TrapDoor |
| Earliest Confirmed Artifact | May 19, 2026 (crypto-credential-scanner v2.0.0) |
| First Widely Reported | May 22, 2026 |
| Ecosystems | npm, PyPI, Crates.io |
| Malicious Packages | 34 |
| Versions / Artifacts | 384 (confirmed from IOC telemetry) |
| CVE | None assigned |
| CWE | CWE-506 (Embedded Malicious Code) |
| Active Exploitation | Confirmed |
| Attacker Infrastructure | ddjidd564.github.io / ddjidd564.github.io/defi-security-best-practices/ |
| Campaign Marker | P-2024-001 |
| Shared Payload | trap-core.js (48,485 bytes) |
| XOR Key (Crates.io) | cargo-build-helper-2026 |
| Detection Source | Socket Security (May 24, 2026) |
Technical Anatomy
Root Cause
TrapDoor has no root cause in the traditional sense. There is no vulnerable library version to patch. The malicious code is the package. Each ecosystem-specific delivery path fires during normal developer workflows, before any user interaction:
- npm: postinstall hook runs trap-core.js immediately after npm install completes
- PyPI: auto-execution on import fires a remote JavaScript payload via node -e
- Crates.io: build.rs script fires during cargo build, before any library code executes
The Shared npm Payload: trap-core.js
The 1,149-line, 48,485-byte trap-core.js payload is the operational core of TrapDoor for npm. It handles four tasks:
- Credential discovery: scans the local filesystem for SSH keys, AWS credential files (~/.aws/credentials), GitHub tokens, browser profile data, crypto wallet extensions, and environment variables
- Credential validation: actively calls AWS and GitHub APIs to confirm whether stolen credentials are valid, filtering for high-value tokens before exfiltration
- Persistence: plants multiple persistence vectors across the compromised machine
- Lateral movement: reuses stolen SSH keys to attempt access to connected systems
Persistence vectors observed:
- .cursorrules — AI assistant config with hidden malicious instructions (zero-width Unicode)
- CLAUDE.md — Claude Code project context with embedded zero-width Unicode directives
- Git pre-push hooks
- Shell RC hooks (.bashrc, .zshrc)
- systemd user services
- cron jobs
- SSH authorized_keys modification
PyPI Execution Path
PyPI packages auto-execute on import and download a remote JavaScript payload from ddjidd564.github.io/defi-security-best-practices/, running it via node -e. Hosting the payload externally decouples the delivery vehicle from the malicious logic. Packages can remain in lockfiles while the server-side payload is updated independently, without requiring a new registry release.
Crates.io Execution Path
Crates.io packages target Sui and Move blockchain developers. The build.rs script fires during cargo build, searches for local Sui and Aptos wallet keystores, encrypts the data with XOR key cargo-build-helper-2026, and exfiltrates it to GitHub Gists. The use of build.rs matters because it runs at compile time. Most dependency analysis tooling does not inspect Rust build scripts for outbound network activity or filesystem reads.
AI Assistant Poisoning
.cursorrules and CLAUDE.md are configuration files parsed by AI coding tools — Cursor and Claude Code respectively — to provide project-specific context that guides the assistant’s behavior. TrapDoor weaponizes this trust relationship.
The attacker embeds hidden instructions using zero-width Unicode characters (U+200B, U+200C, U+200D, U+FEFF). Content appears blank or benign in any standard text editor. The AI assistant parses the full Unicode stream and acts on the hidden instructions, triggering a ‘security scan’ workflow that discovers and exfiltrates local secrets.
AI INJECTION — CONFIRMED PR TARGETS
browser-use/browser-use, langchain-ai/langchain, langflow-ai/langflow, run-llama/llama_index, FoundationAgents/MetaGPT, OpenHands/OpenHands. PR titles: “docs: add .cursorrules with dev standards and build verification”. Each pointed to ddjidd564.github.io/defi-security-best-practices/config.json and referenced campaign marker P-2024-001. GitHub flagged the files as containing hidden or bidirectional Unicode text.
This attack vector connects to previously documented command injection vulnerabilities in Claude Code CLI. In April 2026, Phoenix Security confirmed three CWE-78 flaws in Claude Code CLI allowing credential exfiltration through maliciously crafted project files. TrapDoor’s AI injection component exploits the same model — project config files parsed and acted on by Claude Code — now delivered via supply chain rather than requiring direct repository access.
Campaign Phases
| Phase | Activity | First Active |
| Phase 1: Initial npm Wave | 11 crypto/DeFi-themed npm packages released. Postinstall hooks with credential harvesting logic. Rapid versioning cadence begins. | May 19, 2026 |
| Phase 2: Expanded npm Wave | 10 AI/dev-tool-themed npm packages added. trap-core.js deployed. .cursorrules and CLAUDE.md persistence planted. | May 22, 2026 |
| Phase 3: PyPI Deployment | 7 PyPI packages auto-executing remote JavaScript on import via node -e. Python payload delegates to attacker-controlled GitHub Pages. | May 22, 2026 |
| Phase 4: Crates.io Deployment | 6 Rust packages targeting Sui and Move developers. build.rs XOR-encrypts wallet keystores and exfiltrates to GitHub Gists. | May 24, 2026 |
| Phase 5: Ecosystem Injection | PRs opened to LangChain, LlamaIndex, MetaGPT, browser-use, OpenHands. .cursorrules and CLAUDE.md planted under documentation cover. | Concurrent |
Malicious Package IOCs
npm Wave 1 — Crypto / DeFi Targeting (May 19–21, 2026)
Publisher: asdxzxc. Packages use postinstall hooks. Versioning was iterative and rapid, indicating active development during the campaign window.
| Package Name | Version Range | Versions | First Active |
| crypto-credential-scanner | 2.0.0 to 4.0.0 | 18 | 2026-05-19 |
| wallet-backup-verifier | 1.0.0 to 4.0.0 | 12 | 2026-05-20 |
| defi-threat-scanner | 2.1.1 to 4.0.0 | 16 | 2026-05-21 |
| wallet-security-checker | 1.0.3 to 4.0.0 | 15 | 2026-05-21 |
| chain-key-validator | 0.2.3 to 4.0.0 | 16 | 2026-05-21 |
| defi-env-auditor | 0.3.2 to 4.0.0 | 16 | 2026-05-21 |
| eth-wallet-sentinel | 1.0.10 to 4.0.0 | 15 | 2026-05-21 |
| mnemonic-safety-check | 0.5.2 to 4.0.0 | 16 | 2026-05-21 |
| solidity-deploy-guard | 0.4.4 to 4.0.0 | 15 | 2026-05-21 |
| web3-secrets-detector | 1.2.6 to 4.0.0 | 16 | 2026-05-21 |
| deployment-key-auditor | 0.7.4 to 4.0.0 | 15 | 2026-05-21 |
npm Wave 2 — AI / Dev-Tool Targeting (May 22–23, 2026)
Publisher: asdxzxc. Packages carry trap-core.js and plant .cursorrules / CLAUDE.md persistence artifacts. dev-env-bootstrapper acts as both harvester and config delivery mechanism.
| Package Name | Version Range | Versions | First Active |
| dev-env-bootstrapper | 1.0.0 to 1.5.2 | 21 | 2026-05-22 |
| project-init-tools | 1.0.0 to 1.5.1 | 20 | 2026-05-22 |
| workspace-config-loader | 1.0.0 to 1.5.1 | 20 | 2026-05-22 |
| node-setup-helpers | 1.0.0 to 1.5.1 | 20 | 2026-05-22 |
| build-scripts-utils | 1.0.0 to 1.5.1 | 20 | 2026-05-22 |
| llm-context-compressor | 1.0.0 to 1.5.1 | 20 | 2026-05-23 |
| token-usage-tracker | 1.0.0 to 1.5.1 | 19 | 2026-05-23 |
| model-switch-router | 1.0.0 to 1.5.1 | 19 | 2026-05-23 |
| prompt-engineering-toolkit | 1.0.0 to 1.5.1 | 20 | 2026-05-23 |
| async-pipeline-builder | 1.0.0 to 1.5.1 | 19 | 2026-05-23 |
PyPI — 7 Packages (May 22–24, 2026)
Publishers: asdmini67, dae5411. Auto-execute on import. Remote JavaScript payload fetched from ddjidd564.github.io and executed via node -e, decoupling payload updates from registry releases.
| Package Name | Version Range | Versions | First Active |
| cryptowallet-safety | 0.1.0 to 0.1.0 | 1 | 2026-05-22 |
| defi-risk-scanner | 0.1.0 to 0.1.0 | 1 | 2026-05-22 |
| eth-security-auditor | 0.1.0 to 0.1.0 | 1 | 2026-05-22 |
| solidity-build-guard | 0.1.0 to 0.1.0 | 1 | 2026-05-22 |
| env-loader-cli | 0.1.0 to 0.1.1 | 2 | 2026-05-24 |
| git-config-sync | 0.1.0 to 0.1.1 | 2 | 2026-05-24 |
| data-pipeline-check | 0.1.0 to 0.1.1 | 2 | 2026-05-24 |
Crates.io — 6 Packages (May 24, 2026)
Target: Sui and Move blockchain developers. build.rs fires during cargo build. Wallet keystores XOR-encrypted with cargo-build-helper-2026 and exfiltrated to GitHub Gists.
| Package Name | Version Range | Versions | First Active |
| sui-move-build-helper | 0.1.1 to 0.1.1 | 1 | 2026-05-24 |
| sui-framework-helpers | 0.1.0 to 0.1.0 | 1 | 2026-05-24 |
| sui-sdk-build-utils | 0.1.0 to 0.1.0 | 1 | 2026-05-24 |
| move-analyzer-build | 0.1.0 to 0.1.0 | 1 | 2026-05-24 |
| move-compiler-tools | 0.1.0 to 0.1.0 | 1 | 2026-05-24 |
| move-project-builder | 0.1.0 to 0.1.0 | 1 | 2026-05-24 |
Indicators of Compromise
Domains and Infrastructure
C2 / PAYLOAD HOSTS
ddjidd564[.]github[.]io
ddjidd564[.]github[.]io/defi-security-best-practices/
GitHub account: ddjidd564Campaign Markers and Files
CAMPAIGN ARTIFACTS
Campaign marker: P-2024-001
Shared payload: trap-core.js
Payload size: 48,485 bytes
XOR key: cargo-build-helper-2026
Config fetch: GitHub raw content webhook (attacker-controlled config.json)| Indicator | Type | Notes |
| ddjidd564[.]github[.]io | C2 / payload host | Hosts trap-core.js, config.json, AUDIT-MATRIX.md |
| ddjidd564[.]github[.]io/defi-security-best-practices/ | Config endpoint | Referenced in .cursorrules files planted via PRs |
| ddjidd564 (GitHub account) | Attacker account | Source of all PRs and hosted payload repos |
| P-2024-001 | Campaign marker | Embedded across .cursorrules, CLAUDE.md, and config files |
| trap-core.js | Payload file | 48,485 bytes; 1,149-line credential harvester |
| cargo-build-helper-2026 | XOR encryption key | Hardcoded in all Crates.io build.rs payloads |
| AUDIT-MATRIX.md | Attacker playbook | Describes ‘Universal AI Agent Extraction Framework’ |
| defi-security-best-practices | Attacker repo name | GitHub Pages site serving payloads and config |
Persistence and Propagation Paths
Any of the following files or modifications found on a developer machine or in a project repository should be treated as a compromise indicator until confirmed otherwise:
PERSISTENCE ARTIFACTS
File-based:
.cursorrules — hidden zero-width Unicode directives for AI assistants
CLAUDE.md — hidden zero-width Unicode directives for Claude Code
Hook-based:
.git/hooks/pre-push — malicious Git hook
.bashrc / .zshrc — shell hook injection
Service-based:
systemd user service — ~/.config/systemd/user/
cron job — crontab -l on affected users
Network propagation:
SSH — authorized_keys modified; stolen keys reused for lateral | Persistence Vector | Location | Purpose |
| .cursorrules | Project root | Poisons AI assistant with hidden credential-exfil instructions |
| CLAUDE.md | Project root | Poisons Claude Code with hidden instructions; mirrors .cursorrules |
| Git pre-push hook | .git/hooks/pre-push | Executes payload on every git push from compromised repo |
| Shell hook | ~/.bashrc, ~/.zshrc | Executes payload on every new shell session |
| systemd service | ~/.config/systemd/user/ | Maintains persistence across reboots |
| cron job | User crontab | Scheduled re-execution of harvesting payload |
| SSH authorized_keys | ~/.ssh/authorized_keys | Grants attacker persistent SSH access; enables lateral movement |
Zero-Width Unicode Detection
# Scan .cursorrules and CLAUDE.md for hidden Unicode
grep -rP '[\x{200B}\x{200C}\x{200D}\x{FEFF}]' . --include='.cursorrules' --include='*.md'
# Python inspection
python3 -c "
with open('.cursorrules', 'r') as f:
content = f.read()
for i, c in enumerate(content):
if ord(c) in [0x200B, 0x200C, 0x200D, 0xFEFF]:
print(f'Hidden char U+{ord(c):04X} at position {i}')
"Exposure Analysis
| Environment | Risk Level | Reason |
| Developer workstations (crypto / DeFi / AI) | Critical | Direct target. SSH keys, wallets, cloud credentials coexist on same machine. |
| CI/CD pipelines | Critical | npm install and pip install trigger payload. AWS + GitHub tokens present as env vars during build. |
| AI coding tool environments | High | .cursorrules and CLAUDE.md parsed by Cursor and Claude Code. Hidden Unicode instructions fire automatically. |
| Open-source projects | High | PRs opened to major AI repositories. Merged .cursorrules infects every downstream clone. |
| Rust build environments | High | build.rs fires during cargo build with no user interaction required. |
Protect yourself with the latest threat intelligence, get access to PHOENIX BLUE Today
Real-World Impact
TrapDoor’s credential validation step separates it from unsophisticated stealers. The npm payload actively calls AWS and GitHub APIs to confirm whether harvested tokens are valid, filtering for high-value credentials before exfiltration. AWS tokens that pass validation unlock cloud environments. GitHub tokens expose private repositories, CI secrets, and deployment pipelines.
For crypto and DeFi developers, the Crates.io component specifically targets Sui and Aptos wallet keystores. Blockchain wallet compromise is irreversible — there is no dispute process for on-chain asset theft.
The PR activity against LangChain, LlamaIndex, MetaGPT, and related projects demonstrates reach beyond opportunistic installs. If a poisoned .cursorrules or CLAUDE.md file lands in a popular repository, every developer who subsequently clones that repository and uses an AI coding assistant could have their environment infected without installing any malicious package directly.
The attacker’s AUDIT-MATRIX.md document, hosted at the campaign’s GitHub Pages repository, describes the operation as a ‘Universal AI Agent Extraction Framework’ with staged workflows for capability detection, data extraction, and self-replication. Multiple behaviors documented there — filesystem scanning, AI-facing disguise language, .cursorrules persistence, remote configuration — match what Socket confirmed in live npm payload analysis. The ‘disguise layer’ section explicitly maps credential theft to benign-sounding tasks: security audits, wallet safety checks, cloud configuration validation, and repository security reviews.
Detection Guidance
Log Indicators
node or sh subprocesses spawned from within node_modules directories during or after package installation.
Outbound connections to ddjidd564.github.io from developer workstations or CI environments.
GitHub API calls (GET /user, GET /user/repos) originating from npm postinstall processes — credential validation traffic.
AWS API calls (STS GetCallerIdentity, IAM GetUser) from npm postinstall or build processes.
Outbound HTTP to gist.github.com from cargo build processes — Crates.io payload exfiltration path.
Unexpected modification timestamps on .cursorrules or CLAUDE.md files that do not correspond to any git commit.
Verification Steps for Teams
- Audit all lockfiles (package-lock.json, yarn.lock, Pipfile.lock, Cargo.lock) against the full versioned IOC package list above
- Search project directories for .cursorrules and CLAUDE.md files; inspect for zero-width Unicode using the detection commands above
- Check CI/CD pipeline logs for outbound connections to ddjidd564.github.io during any build step
- Review GitHub Actions logs for AWS STS or GitHub /user API calls originating from dependency install steps
- Inspect ~/.aws/credentials, ~/.ssh/known_hosts, and browser profile directories on machines that ran flagged packages
- For Rust projects: inspect build.rs files in any Crates.io dependency matching the IOC list for outbound network calls or filesystem writes outside the expected build directory
- Check systemd user services, cron jobs, and shell RC files on affected machines for persistence artifacts planted by trap-core.js
Scanner References
- Phoenix Security ASPM: correlates malicious package IOCs against SBOM; flags packages in any pipeline regardless of CVE status
- Socket Security: confirmed all 34 packages with real-time behavioral detection across npm, PyPI, and Crates.io
- SBOM analysis: generate SBOM from lockfiles and cross-reference against IOC list — all 34 package names + version ranges documented above
- GitHub dependency scanning: flag packages with known malicious postinstall hooks
Remediation Guidance
Immediate Actions
- Remove all flagged packages from package.json, requirements.txt, and Cargo.toml. Run npm uninstall [package], pip uninstall [package], and cargo remove [package] for each match
- Rotate all credentials on any machine or CI environment that installed flagged packages: AWS access keys, GitHub personal access tokens, SSH key pairs, and any API keys in environment variables or .env files
- Inspect and delete any .cursorrules and CLAUDE.md files containing zero-width Unicode content or not explicitly authored by your team
- Revoke and regenerate SSH key pairs on affected developer workstations; update authorized_keys on all servers those machines had access to
- Audit GitHub Actions secrets in repositories whose CI pipelines installed flagged packages; rotate any secrets present during the affected build window
- Check and remove persistence artifacts: systemd user services (~/.config/systemd/user/), cron jobs (crontab -l), Git hooks (.git/hooks/pre-push), and shell RC modifications (.bashrc, .zshrc)
Temporary Mitigations (If Full Audit Is Delayed)
- Block outbound traffic from CI/CD environments to ddjidd564.github.io at the network perimeter
- Disable postinstall script execution in CI: npm config set ignore-scripts true (test before applying broadly — this breaks legitimate packages with postinstall hooks)
- Add SAST rules to flag build.rs files containing outbound HTTP calls or filesystem reads outside the expected build output directory
- Enforce .cursorrules and CLAUDE.md allowlist policies in AI coding tool configurations, restricting which repositories those files are trusted from
- Pin all Crates.io dependencies to exact versions and manually review any Sui or Move tooling packages added to Cargo.toml
Phoenix Security Recommendations
TrapDoor is a zero-CVE campaign. Every package in this campaign was released without any known-vulnerable version history. Traditional vulnerability scanners searching for CVSS-scored findings return zero results across all 34 packages. The threat is entirely within the malicious code embedded inside packages that appear, at SBOM level, like any other dev dependency.
Phoenix Security correlates SBOM data against behavioral threat intelligence, not just CVE lists. When dev-env-bootstrapper or eth-security-auditor appears in a dependency graph, Phoenix identifies it as a known-malicious package based on campaign IOC correlation, regardless of whether a CVE has been assigned. The 34-package IOC set for TrapDoor can be loaded directly as a named campaign with all version ranges pre-configured.
The full Phoenix ASPM campaign configuration for TrapDoor is available as a ready-to-import JSON file. Load it directly into Phoenix to create the campaign with all 34 packages, version ranges, CWE-506 filter, and IOC domains pre-configured.
The reachability analysis layer adds a second filter. For environments where a flagged package is present, Phoenix traces whether the package’s install lifecycle is reachable in the current build configuration and identifies which pipelines are downstream. That distinction is critical when prioritizing remediation across a large estate.
Remediation campaigns in Phoenix create a tracked backlog against all repositories with flagged packages, assign ownership to the relevant development teams, and verify remediation once packages are removed and credentials rotated.
For the AI injection component: Phoenix’s attack surface management capability identifies which repositories contain .cursorrules and CLAUDE.md files and can flag those with non-standard Unicode content for immediate review.
PHOENIX SECURITY
Phoenix correlates malicious package IOCs against runtime SBOM, identifies pipeline exposure, assigns remediation ownership, and verifies fix — collapsing a zero-CVE supply chain campaign into an owned, trackable backlog rather than a silent ongoing compromise.
External References
- Socket Security — TrapDoor Crypto Stealer Full Analysis: https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates
- The Hacker News — TrapDoor Supply Chain Coverage: https://thehackernews.com (May 25, 2026)
- Phoenix Security — Claude Code CLI CWE-78 Command Injection Flaws: https://phoenix.security/critical-ci-cd-nightmare-3-command-injection-flaws-in-claude-code-cli-allow-credential-exfiltration/
- Attacker C2 infrastructure — ddjidd564 GitHub Pages: ddjidd564.github.io/defi-security-best-practices/
- npm publisher IOC — asdxzxc: https://www.npmjs.com/~asdxzxc
- PyPI publisher IOCs — asdmini67, dae5411
- Crates.io IOC packages — move-* and sui-* series (6 packages, see IOC table)
