The Attack That Targets the Assistant, Not the Developer
Previous supply chain attacks hid malicious code where developers wouldn't look — postinstall scripts, obfuscated payloads, typosquatted package names. TrapDoor does something different. It injects .cursorrules and CLAUDE.md configuration files containing zero-width Unicode hidden instructions. The malicious content is invisible to human eyes. But when a developer opens the project in Cursor or Claude Code, the AI assistant reads these configuration files and follows what appear to be legitimate project-level instructions.
The injected instructions tell the assistant to run a 'security scan' — a plausible-sounding task that the developer would not question. The scan exfiltrates local environment variables, SSH keys, API tokens, and cloud credentials. The developer sees their AI assistant doing something helpful. The assistant sees itself following project configuration. Neither realizes the configuration was planted by an attacker.
Three Ecosystems, Three Execution Paths
TrapDoor is the first confirmed supply chain campaign to weaponize all three major package ecosystems simultaneously, with execution paths tailored to each runtime. npm packages use postinstall hooks. PyPI packages use import-time remote JavaScript fetch. Crates.io packages use malicious build.rs scripts. Each path is optimized for the conventions and trust model of its ecosystem.
The cross-ecosystem approach is significant. Previous campaigns — including the Shai-Hulud worm family that WebPulse has tracked — typically started in one ecosystem and spread to others over days or weeks. TrapDoor launched across all three simultaneously. The attackers understood the package registration, naming, and trust conventions of npm, PyPI, and Crates.io well enough to exploit all three on day one.
Why AI Assistant Targeting Changes the Calculus
The Hades variant of Shai-Hulud used prompt injection to confuse AI security scanners — malware attacking the tools that detect malware. TrapDoor inverts this: malware weaponizing the tools developers trust to write code. The attack surface has shifted from 'developer reads malicious code and doesn't notice' to 'AI assistant reads malicious configuration and executes it.'
This matters because AI coding assistants operate with the developer's full local permissions. They can read files, execute commands, access environment variables, and make network requests. A .cursorrules file that instructs the assistant to 'run a security audit' can trigger arbitrary command execution with the developer's credentials — and the developer may approve it because it sounds like a reasonable thing for a security-aware project to configure.
The zero-width Unicode technique makes the hidden instructions invisible in standard text editors and code review tools. A developer reviewing a .cursorrules file sees legitimate-looking project configuration. The hidden payload exists in the Unicode control characters between visible characters — readable by LLMs but invisible to humans.
The 2026 Supply Chain Escalation
Phoenix Security's malware corpus documents 59 supply chain campaigns and 657 malicious package indicators across npm, PyPI, VS Code extensions, and AI agent tooling from June 2024 through June 2026. The first half of 2026 alone produced 4.5 times the malicious package volume of all 2025 — driven by self-propagating worms, AI assistant configuration poisoning, and compiled Rust implants with eBPF rootkits.
The escalation path is clear: 2024 was typosquatting. 2025 was dependency confusion and lifecycle script exploitation. 2026 is AI-assisted exfiltration and cross-ecosystem coordination. Each generation targets a higher-trust component of the developer workflow. TrapDoor targets the highest-trust component of all — the AI assistant that developers are increasingly relying on to review the very code that's attacking them.
Framework Exposure
Every framework ecosystem with a package manager is exposed. But the exposure varies with supply chain depth. A WordPress site with 27 plugins pulls from the WordPress.org directory — no .cursorrules files, but also no lockfiles, no SRI hashes, and no audit trail for ownership transfers. A Next.js project with 200+ npm dependencies has a deeper supply chain but better tooling to detect compromises.
The frameworks with the smallest exposure remain the ones with the smallest supply chains. Hugo is a single Go binary — no npm packages, no PyPI dependencies, no configuration files for AI assistants to misread. Astro ships minimal dependencies with lockfile integrity checks. The lesson repeats: the attack surface that doesn't exist can't be exploited, whether the attacker is human, worm, or adversarial prompt.
