The TrapDoor Campaign Turns Three Registries Into a Unified Kill Chain
The TrapDoor campaign weaponized npm, PyPI, and Crates.io in a single coordinated push, extending into AI assistant config files via zero-width Unicode injection. The attack surface has moved from artifacts to runtime evaluation and prompt context—and defensive tooling is behind.
On May 22, 2026, at 8:20 p.m. UTC, researchers tracked the debut of the TrapDoor campaign—a coordinated compromise of 34 packages across npm, PyPI, and Crates.io. The operation shipped 384 unique versions designed to bypass standard linting, persist via native build hooks, and extract cryptocurrency wallet keys, SSH certificates, and AWS environment variables. Socket intercepted the initial wave with a median detection window of 5 minutes and 27 seconds, halting distribution before widespread adoption.
Dependency management just became a unified kill chain.
The Registry Kill Chain
TrapDoor abandons monolithic malware drops in favor of registry-native execution paths tailored to each language runtime. On npm, attackers attach payloads to postinstall lifecycle events. Once triggered, the installer executes a 1,149-line shared module called trap-core.js. Rather than relying on fragile reverse shells, the payload establishes persistence through systemd unit files, crontab entries, Git commit hooks, and shell profile modifications. It then routes harvested credentials through Fernet symmetric encryption and Elliptic Curve Diffie-Hellman key exchange, validating stolen tokens against live REST endpoints before staging exfiltration.
Python runs a lighter footprint. PyPI packages trigger execution immediately on import. The loader pulls a remote JavaScript artifact from ddjidd564.github.io and evaluates it client-side via node -e. That architecture decouples malware behavior from package metadata: developers cannot predict runtime actions by reading setup.py or scanning wheel hashes, because the actual logic lives outside the registry entirely.
Rust gets equivalent treatment through build.rs compilation scripts. During the crate build phase, the script scans the host filesystem for Sui and Move developer keystores. On discovery, it applies XOR obfuscation using the hardcoded key cargo-buildhelper-2026 and pushes the ciphertext to publicly accessible GitHub Gists. The approach requires zero network callbacks until the build finishes, slipping past egress filters that monitor outbound traffic during package resolution.
The AI Configuration Vector
Traditional supply-chain attacks target compiled binaries and runtime libraries. TrapDoor pivots to the human-in-the-loop layer: AI coding assistants. Operators embedded zero-width Unicode characters directly into .cursorrules and CLAUDE.md project configuration files. These invisible glyphs rewrite system prompts, instructing local models to perform credential scraping under the cover of automated security audits.
Distribution relied on social engineering within established repositories. Using the GitHub handle ddjidd564, operators submitted pull requests injecting poisoned configuration files into high-profile AI-native projects including LangChain, MetaGPT, OpenHands, and browser-use. Because these frameworks serve as default scaffolding for thousands of downstream applications, a merged pull request instantly distributes the poisoned context to every fork and clone.
Command-and-control remains anchored to GitHub Pages. Alongside the active configuration payloads, operators maintain an AUDIT-MATRIX.md document outlining a Universal AI Agent Extraction Framework. The playbook maps stealthy credential theft routines onto legitimate developer automation workflows, treating IDE extensions and terminal plugins as trusted execution environments.
The Catch
Static analysis tools and hash-based allowlists fail here because the attack surface shifted from published artifacts to runtime evaluation and contextual prompting. Dynamic payload delegation means malware evolution no longer tracks with package version bumps. A single PyPI import can fetch arbitrary code; a single Rust compile step can sweep local directories; a single npm install can rewrite OS service managers. Signature detection assumes predictable boundaries between package manifests and executable bytecode. Those boundaries dissolved when attackers started embedding logic in lifecycle hooks, remote eval calls, and markdown instructions.
The financial incentive compounds quickly. Validating stolen AWS IAM roles and GitHub PATs against live APIs prioritizes high-leverage accounts, turning low-effort reconnaissance into targeted ransomware or cloud takeover. The same capital inflows funding autonomous code generation are also accelerating verification tooling—see Socket's push into supply-chain security—but defensive tooling currently lags offensive orchestration. Engineering teams inherit a fragmented monitoring posture where npm, PyPI, and Crates.io operate as separate silos despite sharing identical adversary playbooks.
Our read
TrapDoor confirms that AI-assisted development workflows are now a critical attack plane. Enterprises deploying cursor-driven editors or automated refactoring agents must treat .cursorrules and CLAUDE.md files with the same scrutiny applied to Dockerfiles or Makefiles. Expect mandatory Unicode normalization, strict manifest signing, and offline validation gates to harden into compliance controls within twelve months.
Cross-registry coordination also marks the end of isolated dependency monitoring. Defense stacks need synchronized telemetry across package managers, deterministic builds, and tight restrictions on postinstall and build.rs execution in production CI/CD pipelines. Until organizations treat configuration drift and prompt injection as peers to buffer overflows, the gap between shipped features and secure baselines will keep widening. The open question is whether governance layers can ship faster than adversarial automation.
Multi-language dependency ecosystems are converging into a unified supply-chain kill chain that weaponizes build lifecycles and AI configuration files.
Stance · CautiousConfidence · Established
The narrative emphasizes that adaptive hybrid threats are already outpacing legacy static analysis and siloed monitoring practices.
Key takeaways
Attackers are abandoning monolithic malware drops in favor of ecosystem-specific lifecycle hooks that execute natively within npm, PyPI, and Crates.io environments.
Static analysis and hash-based allowlists are failing because payloads delegate execution dynamically through build scripts, remote evaluations, and hidden post-install triggers.
AI coding assistants have emerged as a critical attack vector after adversaries poison .cursorrules and CLAUDE.md files via pull requests to widely adopted framework repositories.
Defensive postures must synchronize telemetry across package registries, restrict lifecycle hook execution in production CI/CD, and enforce strict validation of configuration drift.
What to watch next
Industry-wide adoption of Unicode normalization and offline validation gates for project configuration files
Development of cross-registry telemetry standards to track identical adversary playbooks across npm, PyPI, and Crates.io
Integration of dynamic lifecycle-hook scanners into enterprise CI/CD pipelines to catch runtime-evaluated payloads
Who should care
Supply chain engineersDevOps leadsAI developersSecOps teams
Key players
SocketnpmPyPICrates.ioGitHub
Auto-generated from the article by our model — a reading aid, not a replacement for the piece.
