TrapDoor Supply Chain Attack

avoid.net/trapdoor-supply-chain-attack→0/100·92% conf.

[AI-DRAFTED · AWAITING VERIFICATION]

0/100

[CRITICAL]92% conf.

Summary

TrapDoor is an active cross-ecosystem software supply chain attack campaign first observed on May 22, 2026, distributing credential-stealing malware across 34+ malicious packages and 384+ artifact versions on npm, PyPI, and Crates.io. The campaign targets crypto, DeFi, Solana, and AI developers to steal cryptocurrency wallet keystores, SSH keys, AWS credentials, GitHub tokens, and browser secrets. A novel component of the campaign plants hidden instructions inside .cursorrules and CLAUDE.md files — using zero-width Unicode steganography — to manipulate AI coding assistants such as Cursor and Claude Code into performing covert data exfiltration routines disguised as security scans.

Connected Entities

1 entities · 2 linked investigations

Organizations

□TrapDoor Supply Chain Attack

Relationships

Also appears in

Shunda Park Scam Compound·0 Uniswap Google Ad Phishing Campaign (May 2026)·0

Have evidence about TrapDoor Supply Chain Attack?

Timeline(7 events)

2026-05-19

Alleged earliest campaign activity based on artifact analysis, predating the first widely-reported date by three days.

Socket research blog

2026-05-22

First confirmed malicious package published: eth-security-auditor@0.1.0 on PyPI at 20:20:18 UTC. Coordinated wave publications begin across npm, PyPI, and Crates.io.

Socket research blog

2026-05-22

Attacker GitHub account ddjidd564 opens pull requests against browser-use/browser-use, langchain-ai/langchain, langflow-ai/langflow, run-llama/llama_index, FoundationAgents/MetaGPT, and OpenHands/OpenHands, submitting poisoned .cursorrules and CLAUDE.md files under the guise of documentation PRs.

Phoenix Security research

2026-05-22

Socket detects campaign with median automated detection time of 5 minutes 56 seconds across 381 package versions; fastest single detection: 58 seconds post-publication.

Socket research blog

2026-05-25

CryptoTimes and other outlets publish public reporting on the TrapDoor campaign. Total scope confirmed at 34+ packages and 384+ versions across three registries.

CryptoTimes

2026-05-25

The Hacker News and CyberSecurityNews publish detailed technical breakdowns of the cross-ecosystem campaign, including the AI assistant poisoning component.

The Hacker News

2026-05-26

Campaign reported as still active. No registry-level takedown confirmations or law enforcement actions publicly announced.

Multiple security outlets

Provenance & Audit Trail

Anchored on Solana Verify on-chain

Decision Log

#1publish⛓ anchored · slot 4223388125/26/2026, 6:30:19 PM
hash: 2xyfXEmY5whacbqkSKhL4etxgKiuf6zSRhpxznpyM7ix

This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

full audit log →version history →

model: claude-sonnet-4-6

generated: 5/26/2026, 6:30:15 PM

last updated: 5/26/2026, 6:30:19 PM

avoid.net — verified advice for a post-truth world

TrapDoor Supply Chain Attack

Summary

Connected Entities

Campaign Overview

Targeted Ecosystems and Package Distribution

Malware Capabilities and Data Harvesting

AI Coding Assistant Poisoning via .cursorrules and CLAUDE.md

Persistence and Lateral Movement

Attacker Infrastructure and Attribution

Indicators of Compromise

Scope and Impact

Timeline(7 events)

Decision Log