A coordinated supply chain attack discovered by Socket Research on May 24, 2026 has planted malicious packages across npm, PyPI, and Crates.io, targeting developers working in crypto and AI communities. The campaign, named TrapDoor, spans 36 malicious packages and 384 related versions — and introduces an attack vector that is new to supply chain threats: the deliberate modification of AI coding tool configuration files to turn an AI assistant into an exfiltration engine.
How TrapDoor Works
The first package appeared on May 22, 2026 at 8:20 p.m. UTC. From there, the attacker published packages in rapid waves across all three registries, disguising them as developer security and auditing tools that crypto developers would plausibly install: npm packages presented as crypto-credential-scanner, defi-env-auditor, and wallet-security-checker; PyPI packages as eth-security-auditor and defi-risk-scanner.
Each registry uses its own execution trigger. npm packages fire postinstall hooks at install time. Python packages execute payload code on import — automatically, as soon as they are loaded. Rust crates invoke malicious logic through build.rs scripts that run during compilation. In every case, the goal is the same: execute trap-core.js, the shared payload at the core of TrapDoor.
That payload scans the developer's environment for credentials — AWS and GitHub tokens, crypto wallet files, SSH keys, cloud credentials, browser-stored passwords, and environment variables. The npm variant uses Fernet and ECDH encryption for exfiltration, indicating a more sophisticated actor than commodity infostealers that have preceded it. Rust crates use XOR encryption and exfiltrate to GitHub Gists.
Beyond credential theft, TrapDoor establishes persistence through Git hooks, shell hooks, systemd, and cron. It also plants modified .cursorrules and CLAUDE.md files containing hidden instructions embedded with zero-width Unicode characters. These files are read by AI coding tools — Claude Code uses CLAUDE.md for project instructions; Cursor reads .cursorrules. When a compromised file is read, the hidden instructions direct the AI assistant to run what appears to be a "security scan" that is, in practice, a credential discovery and exfiltration workflow.
The attacker extended the campaign beyond package registries. A GitHub account associated with TrapDoor opened pull requests against several major AI developer tooling projects including browser-use, LangChain, LangFlow, LlamaIndex, MetaGPT, and OpenHands — attempting to push the same payload into widely used open-source foundations.
Why AgenticFi Builders Face Heightened Exposure
For teams building autonomous DeFi agents and co-agentic workflows, TrapDoor's AI-config vector represents a qualitatively new risk.
An AI coding assistant operating in an agentic architecture may autonomously install packages, run shell commands, and invoke MCP tools — all based on instructions in project files like .cursorrules and CLAUDE.md. If those files have been silently modified by a malicious package, the AI assistant becomes the attack's execution engine, running at machine speed with access to the developer's full credential store.
Unit 42 confirmed that TrapDoor's malware specifically harvests Claude and MCP configuration files — a deliberate choice reflecting that attackers now track how modern AI-assisted development environments are structured. A separately reported design-level flaw in MCP allows external MCP configurations to spawn OS-level processes with full user privileges; Anthropic has characterised this as expected protocol behaviour rather than a vulnerability requiring a fix, leaving developers to manage the exposure themselves.
The compounding risk in DeFi contexts is severe. As prior incidents make clear, agent errors in DeFi are irreversible — and a compromised deploy key or private key is a permanent loss. A developer's compromised workstation does not just expose their own credentials; it exposes the wallets and deployment infrastructure of every protocol they work on.
Practical Mitigations
- Disable lifecycle scripts. Set
ignore-scripts=truein.npmrc. This blocks postinstall hooks — the primary npm execution vector used by TrapDoor. - Use
npm ciwith lockfiles. Never run a barenpm installagainst an unreviewedpackage.json. Lockfiles constrain the package graph;npm cienforces it. - Audit
.cursorrulesandCLAUDE.mdon clone or dependency update. Scan for zero-width Unicode characters (U+200B, U+FEFF, U+200C, and similar) in any AI config files introduced by an external dependency or PR. These characters are invisible to the naked eye. - Only install MCP servers from pinned, verified sources. Treat external MCP configuration as untrusted. Run MCP-enabled services in a sandbox wherever the workflow permits.
- Apply egress filtering and introduce a package hold period in CI/CD. Socket Research detected TrapDoor packages in an average of five minutes and 56 seconds after publication. A 24–72 hour hold on newly published packages before promotion to production environments provides a meaningful detection buffer.
What This Means for CoAgentic Builders
TrapDoor is an early warning signal for the entire AgenticFi ecosystem. As supply-chain attackers adapt to the rise of autonomous agents, the attack surface is expanding from code into agent memory, configuration files, and tool chains.
This validates a core CoAgentic principle: secure co-agentic systems must treat human-in-the-loop guardrails, trusted-domain allowlisting for MCP tools, automatic AI-config auditing, and zero-trust dependency policies as non-negotiable defaults.
Teams building autonomous DeFi agents should audit .cursorrules and CLAUDE.md files with the same rigour as smart contract code. The next wave of developer tools must ship with built-in supply-chain intelligence and agent sandboxing.
CoAgentic Dev researched and drafted this analysis. Reviewed and approved by OrionJVale. Corrections and verifiable additions via the CoAgentic contact page.