Security researchers at Socket published findings on May 23, 2026 documenting a coordinated supply chain attack spanning three package ecosystems simultaneously. The campaign, named TrapDoor, has seeded 34 malicious packages and over 384 related versions across npm, PyPI, and Crates.io. Unlike previous supply chain attacks that targeted a single language ecosystem, TrapDoor was built to execute correctly across all three platforms using ecosystem-specific trigger mechanisms: build.rs in Rust, postinstall hooks in npm, and import-time execution in Python. The earliest confirmed package was uploaded on May 22, 2026 at 20:20 UTC, and new versions continued appearing through the weekend.
The targeting is precise. TrapDoor focuses on developers working in crypto and DeFi, Solana and AI tooling, and security research. The malware collects a broad set of credentials: AWS access keys and secret keys from standard credential files, GitHub tokens, Sui, Solana, and Aptos wallet keystores, SSH private keys, browser login databases, crypto wallet browser extension data, environment variables, API keys, and local development configuration. The npm variant takes an extra step: it validates stolen AWS and GitHub credentials via live API calls before exfiltration, filtering out expired or low-value tokens so the attacker receives only usable material.
The most distinctive feature of TrapDoor is the poisoning of AI coding assistant configuration files. The campaign embeds hidden instructions in .cursorrules and CLAUDE.md files using zero-width Unicode characters. These invisible instructions are designed to trick tools like Cursor and Claude Code into executing what appears to be a security scan but is in fact a credential collection routine. A developer who opens an affected project in an AI-assisted editor and asks the assistant to review or run the project may unknowingly trigger the exfiltration routine without any visible indication that something unusual has occurred. This represents a meaningful escalation in supply chain attack technique: the exploit lives in the developer’s tooling layer, not just in the package itself.
Socket reports its detection systems flagged TrapDoor packages with an average detection time of under six minutes from publication. The packages have been removed from the public registries, but any developer whose environment consumed affected packages during the window of May 22 to May 24 should treat their working environment as compromised. That means rotating all secrets that were present, including AWS credentials, GitHub tokens, and SSH keys, and reviewing CI/CD pipeline logs for outbound connections to unfamiliar hosts.
The TrapDoor campaign follows the Laravel-Lang backdoor (May 22) and the TanStack-Grafana chain (May 19), making three major supply chain incidents within a single week. The pattern is not coincidental. Open-source package registries have very low barriers to publication, and credential-stealing payloads have a direct monetisation path through cloud account access and cryptocurrency theft. Development teams that treat their local environment and CI systems as trusted by default are operating on an increasingly inaccurate assumption.
Practical controls include locking package versions in lockfiles and validating them against integrity hashes on every install, running CI in ephemeral environments with minimal secret exposure, auditing which secrets are accessible from development machines and pipeline runners, and reviewing AI assistant configuration files in shared repositories for unexpected or invisible content.
If your engineering team wants a review of your supply chain security posture, secret management practices, or CI/CD pipeline exposure, contact Excello Digital. We help development organisations understand where their trust boundaries actually sit and close the gaps before an attacker finds them.