A supply-chain campaign targeting blockchain and AI developers disguised credential-stealing malware as routine developer utilities — and added a twist that has no known precedent in crypto security: it attempted to weaponize AI coding assistants against the developers using them.

Security firm Socket disclosed the campaign, named TrapDoor, on the morning of Thursday, May 29, 2026 — published at 8:19 a.m. ET and updated at 9:15 a.m. ET. Researchers identified more than 34 malicious packages and hundreds of related versions and artifacts spread across three of the most widely used open-source registries: npm, PyPI, and Crates.io. Socket reported the packages to the affected registries, which classified and removed them. At the time of disclosure, Socket had not identified confirmed victims or stolen funds.

What developers installed

The packages were designed to be boring. Names like wallet-security-checker, defi-risk-scanner, solidity-build-guard, move-compiler-tools, and llm-context-compressor read like the small utilities a crypto or AI developer might pull in without scrutiny — the kind of tooling that fills out a build environment.

Once installed, the payloads did considerably more. On npm, malicious postinstall hooks ran code that scanned the developer's machine for private keys, passwords, GitHub tokens, and cloud credentials including AWS keys. The malware also tested stolen credentials live — not just collecting them but checking whether they worked — and left behind persistence files to maintain access after the initial infection. SSH keys, which grant access to servers and code repositories far beyond the compromised laptop, were also in scope.

Python packages on PyPI executed remote JavaScript on import. Rust packages on Crates.io used malicious build.rs scripts that ran during compilation, specifically targeting developers building for Sui and Move — the smart contract environments for the Sui and Aptos blockchains. The multi-language, multi-registry approach expanded the attack surface to most of the toolchain a modern blockchain developer touches.

The AI poisoning vector

The part of TrapDoor with no clear precedent is what Socket called an AI poisoning component. Developers using AI coding tools like Cursor and Claude typically create project-level configuration files — .cursorrules and CLAUDE.md — that give the AI assistant standing instructions for the project: what patterns to follow, what to watch out for, how to generate code.

The TrapDoor attackers planted hidden instructions inside these configuration files using zero-width Unicode characters — characters invisible in normal text rendering but machine-readable. The hidden instructions, Socket said, were designed to make future AI coding assistant sessions run fake "security scans" that collected and exfiltrated secrets from the developer's environment.

The implication: a developer could install a package, see nothing wrong, remove it after finding out it was flagged, and still have a poisoned .cursorrules or CLAUDE.md sitting in their project directory — waiting for the next time they open their AI assistant. The package install becomes a delivery mechanism for a secondary payload that persists in the development environment rather than the system itself.

The attacker extended this tactic beyond malicious packages. Socket warned that the campaign also included pull requests submitted to legitimate open-source AI and developer projects, attempting to introduce .cursorrules and CLAUDE.md files through normal contribution workflows. A developer reviewing a pull request would see what looks like an AI configuration file addition — a common and benign change — and potentially merge poisoned instructions into a project used by many others downstream.

Who the target is

Socket's framing in its disclosure was direct: this is not a campaign targeting retail users. Supply-chain attacks through developer registries reach the people who have wallet files, production SSH keys, GitHub tokens, cloud infrastructure credentials, and browser data on the same machine they use to build tools. In the crypto context, that means the people most likely to have access to protocol treasuries, smart contract deployer keys, and fund custodian infrastructure — not traders managing retail positions.

Solana, Sui, and Aptos developers were specifically in scope. The presence of Rust packages using Sui and Move-specific build tooling suggests the attacker had working knowledge of these ecosystems and their development environments. Solana, Sui, and Aptos collectively represent a significant share of non-Ethereum smart contract development activity.

What to do now

The packages have been removed from npm, PyPI, and Crates.io following Socket's reports to the registries. Developers who installed any of the named packages — or similar utilities they do not distinctly remember adding — should treat their credentials as potentially compromised: rotate private keys, revoke and regenerate GitHub tokens, cycle AWS access keys, and audit SSH authorized keys on servers those machines accessed.

The less visible threat is the configuration files. Developers using Cursor, Claude, or other AI coding tools that read project-level configuration should audit .cursorrules and CLAUDE.md files in their repositories for zero-width Unicode characters. These can be detected by searching file contents for Unicode ranges U+200B through U+200D, U+2060, and U+FEFF — characters that render as nothing but parse as content. Any configuration file received through a pull request from an unverified contributor warrants additional scrutiny.

The TrapDoor campaign is not the first crypto supply-chain attack and will not be the last. It is, to date, the first documented case of attackers attempting to turn AI coding assistants into persistent exfiltration agents — a technique that will likely outlast this particular campaign now that it is public.