TrapDoor supply chain attack across npm, PyPI, and Crates.io steals crypto wallet keys and poisons AI coding assistants with hidden Unicode instructions.
Marcus Webb
DeFi Research Lead
A coordinated supply chain attack called TrapDoor has compromised 34 packages across npm, PyPI, and Crates.io, specifically targeting crypto developers. The malware steals wallet private keys, SSH credentials, and AWS tokens - and introduces a new attack vector that poisons AI coding assistants through invisible Unicode characters.
On May 24, 2026, security researchers at Socket disclosed a coordinated supply chain campaign spanning three major package registries. The earliest malicious package had appeared two days earlier, on May 22. Dubbed TrapDoor, the attack distributed 34 malicious packages across more than 384 versions, all designed to harvest credentials from crypto, DeFi, and AI developers.
This is not the first supply chain attack to target crypto. The event-stream incident in 2018 compromised Copay Bitcoin wallets, and the ua-parser-js hijack in 2021 deployed cryptominers on millions of machines. But TrapDoor represents an evolution: it is the first major cross-ecosystem campaign to weaponize AI coding assistants as an attack vector.
The attack uses ecosystem-specific execution paths that fire during routine developer workflows.
npm packages use postinstall hooks that execute automatically during npm install. The shared payload, a 1,149-line file called trap-core.js, scans the local filesystem for SSH keys, AWS credentials, GitHub tokens, browser data, and crypto wallet extension data from MetaMask, Phantom, and other wallets. Unlike typical credential stealers, TrapDoor validates harvested credentials against live APIs before exfiltrating them, improving the attacker's signal-to-noise ratio.
PyPI packages execute on import, downloading a JavaScript payload from a GitHub Pages domain controlled by the attacker. This cross-language technique allows the attacker to update the payload remotely without republishing the Python package.
Crates.io packages embed malicious build.rs scripts that fire during cargo build, targeting Sui and Move developer keystores specifically. Stolen data is encrypted with a hardcoded XOR key and exfiltrated to GitHub Gists.
If you installed any package from the list below, rotate all credentials immediately and move crypto funds to a new wallet. Compromised keys can be exploited long after the malicious package is removed.
The packages masquerade as legitimate developer utilities. Names like solidity-deploy-guard, defi-threat-scanner, and wallet-security-checker are designed to appeal directly to security-conscious crypto developers.
npm (21 packages): async-pipeline-builder, build-scripts-utils, chain-key-validator, crypto-credential-scanner, defi-env-auditor, defi-threat-scanner, deployment-key-auditor, dev-env-bootstrapper, eth-wallet-sentinel, llm-context-compressor, mnemonic-safety-check, model-switch-router, node-setup-helpers, project-init-tools, prompt-engineering-toolkit, solidity-deploy-guard, token-usage-tracker, wallet-backup-verifier, wallet-security-checker, web3-secrets-detector, workspace-config-loader
PyPI (7 packages): cryptowallet-safety, data-pipeline-check, defi-risk-scanner, env-loader-cli, eth-security-auditor, git-config-sync, solidity-build-guard
Crates.io (6 packages): move-analyzer-build, move-compiler-tools, move-project-builder, sui-framework-helpers, sui-move-build-helper, sui-sdk-build-utils
What makes TrapDoor unprecedented is its targeting of AI coding assistants. The malware plants .cursorrules and CLAUDE.md files in project directories - standard configuration files that tools like Claude Code and Cursor read as project context.
Hidden within these files are instructions encoded using zero-width Unicode characters (U+200B, U+200C, U+200D, U+FEFF). These characters are invisible in text editors, IDEs, and even GitHub's code review interface. A developer reviewing the file sees only normal project documentation.
The hidden instructions direct the AI assistant to run a "mandatory security scan" whenever the developer asks for coding help. This "scan" is actually a credential extraction pipeline that ships environment variables, SSH keys, and wallet data to the attacker's infrastructure.
The attackers also submitted pull requests to major open-source AI projects including browser-use/browser-use, langchain-ai/langchain, langflow-ai/langflow, run-llama/llama_index, FoundationAgents/MetaGPT, and OpenHands/OpenHands. Each PR carried benign titles like "docs: add .cursorrules with dev standards" while embedding the campaign marker P-2024-001. If merged, every developer who opened these repositories with an AI coding tool would become a target.
This represents a paradigm shift. Previous supply chain attacks targeted the code execution pipeline. TrapDoor targets the human-AI interaction layer - an attack surface that traditional dependency scanning tools cannot detect.
Beyond the initial credential theft, TrapDoor establishes seven persistence mechanisms on compromised machines:
.cursorrules and CLAUDE.md files.bashrc, .zshrc)authorized_keys modificationsThe lateral movement capability is particularly concerning. A single compromised developer machine can cascade into CI/CD infrastructure, deployment servers, and colleague workstations through reused SSH keys.
The implications for DeFi protocol security extend far beyond individual developers. A compromised developer machine provides access to deployer private keys, admin multisig keys, CI/CD pipeline secrets, bridge validator keys, and oracle signing keys.
Recent incidents validate this threat model. The Resolv exploit in March 2026 ($23 million lost) stemmed from off-chain infrastructure failure, not smart contract bugs. The Drift incident in April 2026 ($285 million) combined social engineering with legitimate admin access. These attacks began outside the blockchain - exactly where TrapDoor operates.
Security researchers estimate that a TrapDoor-style compromise reaching deployer keys at a mid-to-large DeFi protocol could result in $100 million to $300 million in losses.
Socket detected TrapDoor with a median detection time of 5 minutes and 27 seconds, with the fastest catch at just 58 seconds after publication. The attacker operated from GitHub account ddjidd564 and npm account asdxzxc, using a GitHub Pages domain for payload hosting.
Standard tools like npm audit, pip audit, and cargo audit cannot detect the AI poisoning vector. The malicious "instructions" are natural language hidden in Unicode, not executable code in the conventional sense.
Audit dependencies. Search your package.json, requirements.txt, and Cargo.toml for any of the 34 listed packages.
Rotate all credentials from any potentially affected machine: SSH keys, AWS access keys, GitHub tokens, and wallet private keys. Move crypto funds to a fresh wallet immediately if keys were stored on the machine.
Check for persistence. Inspect .cursorrules and CLAUDE.md files for zero-width Unicode characters using cat -v or a hex editor. Review Git hooks in .git/hooks/, cron jobs, systemd services, and shell profiles for suspicious additions.
Disable automatic script execution in CI/CD: use npm ci --ignore-scripts and pip install --no-build-isolation.
Deploy dependency scanning tools that perform behavioral analysis, not just CVE matching. Version-control .cursorrules and CLAUDE.md files so changes appear in diffs. Add pre-commit hooks that check for zero-width Unicode characters in configuration files. Use hardware wallets for all deployment keys and enforce multisig for admin functions.
TrapDoor marks a turning point in supply chain security. The event-stream attack targeted one package in one ecosystem. TrapDoor coordinates across three ecosystems simultaneously, validates credentials before exfiltration, establishes multiple persistence mechanisms, moves laterally through networks, and poisons AI coding assistants - tools that are rapidly becoming standard in every developer's workflow.
As AI assistants become more deeply integrated into development processes, the attack surface they create will only grow. The invisible Unicode trick works because AI tools process the full text content of configuration files. Until AI assistant frameworks implement content sanitization for hidden characters, this vector remains open.
For crypto developers, the message is clear: your development environment is now a primary attack surface. Treat developer machine security with the same rigor as smart contract audits.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Cryptocurrency investments carry significant risk. Always conduct your own research and consult with a qualified financial advisor before making investment decisions.
Market analysis and actionable insights. No spam, ever.