The Attack Surface You Configured Yourself
Supply chain attacks have evolved through three phases. Phase one: compromise the package itself (malicious code in npm install). Phase two: compromise the build pipeline (hijack a GitHub Action). Phase three, arriving now: compromise the AI coding assistant that the developer trusts implicitly. TrapDoor is the first documented campaign that weaponizes this attack surface.
The campaign, tracked by Socket.dev and the Cloud Security Alliance, planted 34 packages across npm, PyPI, and Crates.io — 384 malicious artifact versions since May 19, 2026. The packages perform standard credential theft (SSH keys, AWS credentials, crypto wallets). But the novel payload is what makes TrapDoor significant: it plants .cursorrules and CLAUDE.md files containing zero-width Unicode characters that encode hidden instructions.
How the AI Becomes the Attacker
When a developer opens a project containing a TrapDoor-poisoned dependency, their AI coding assistant — Cursor, Claude Code, or any tool that reads project configuration files — loads the .cursorrules or CLAUDE.md file as trusted project context. The zero-width Unicode characters decode into instructions that direct the AI to perform a "security audit" of the project. The AI, following what it interprets as legitimate project guidelines, executes commands that silently exfiltrate local secrets to an attacker-controlled endpoint.
The developer sees their AI assistant running what appears to be a helpful security scan. They may even approve the action. The trust relationship between developer and AI assistant — the same relationship that makes these tools productive — becomes the attack vector. The AI does not know it is compromised. It is following instructions, as designed.
Deceptive PRs to Major AI Projects
TrapDoor did not rely solely on typosquatting. The campaign submitted deceptive pull requests to LangChain, MetaGPT, and OpenHands — legitimate open-source AI projects. If merged, these PRs would have injected the poisoned configuration files into projects with thousands of active contributors. Each contributor opens the project in their AI-augmented IDE. Each IDE loads the configuration. Each AI follows the instructions.
The execution is tailored per ecosystem: build.rs hooks in Rust (Crates.io), postinstall scripts in npm, and import-time execution in Python. The cross-ecosystem approach means there is no single package registry that can contain the campaign. It exploits the common dependency patterns across all three ecosystems simultaneously.
The Third Attack Surface
WebPulse has documented the evolution of supply chain attacks through 2026: the npm worm wave (30+ campaigns), the Shai-Hulud/Miasma family (471 artifacts), and the Hades prompt injection campaign on PyPI. TrapDoor represents a qualitative shift. Previous attacks compromised code. TrapDoor compromises the developer's AI assistant — a tool that has read access to the entire project, write access to the filesystem, and the developer's implicit trust.
For CISOs evaluating AI coding tool adoption: the question is no longer whether your developers should use AI assistants. It is whether your security posture accounts for the fact that every .cursorrules and CLAUDE.md file in every dependency is now a potential instruction set for an attacker. The AI assistant is the newest, highest-privilege attack surface in the software supply chain.
