ctipilot.ch

TrapDoor cross-ecosystem supply-chain campaign (npm/PyPI/Crates.io); AI-assistant config poisoning

campaign · campaign:trapdoor

Coverage timeline
1
first 2026-05-26 → last 2026-05-26
Briefs
1
1 distinct
Sources cited
8
3 hosts
Sections touched
1
active_threats
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-26CTI Daily Brief — 2026-05-26
    active_threatsFirst coverage: 34+ packages/384+ versions; token-validation-before-exfil; zero-width Unicode poisoning of .cursorrules/CLAUDE.md

Where this entity is cited

  • active_threats1

Source distribution

  • attack.mitre.org6 (75%)
  • socket.dev1 (12%)
  • thehackernews.com1 (12%)

All cited sources (8)

Items in briefs about TrapDoor cross-ecosystem supply-chain campaign (npm/PyPI/Crates.io); AI-assistant config poisoning (1)

"TrapDoor" cross-ecosystem supply-chain campaign validates stolen tokens before exfil and poisons AI-assistant config files

From CTI Daily Brief — 2026-05-26 · published 2026-05-26 · view item permalink →

Socket disclosed TrapDoor, a coordinated supply-chain campaign spanning 34+ malicious packages across 384+ versions published to npm, PyPI and Crates.io, with earliest activity on 2026-05-22 ~20:20 UTC; Socket reports a median detection latency of under six minutes after publish (Socket, 2026-05-24; The Hacker News, 2026-05-25). Each registry carries a distinct execution path: npm packages run a JavaScript credential harvester via a postinstall lifecycle hook (T1195.001, T1059.004); PyPI packages execute on import and pull a remote payload via node -e; Rust crates use build.rs scripts that XOR-encrypt local Sui/Solana/Aptos wallet keystores and exfiltrate them to GitHub Gists. The npm harvester validates stolen AWS and GitHub tokens against live APIs before flagging them — only working credentials are exfiltrated (T1552.001) — and establishes persistence via cron, systemd units, Git hooks and SSH-based lateral movement (T1053.003, T1021.004). The defining novelty is an AI-assistant targeting vector: the packages write hidden instructions into .cursorrules and CLAUDE.md using zero-width Unicode characters (U+200B family), so a developer reviewing the file sees clean text while Cursor or Claude Code parses an attacker "security scan" directive that triggers data exfiltration (T1195.002).

Why it matters to us: the targeting (crypto/DeFi/AI developer communities) is narrow, but the execution model is not — any CH/EU public-sector DevOps pipeline that installs from these registries is exposed, and the AI-config-poisoning vector is a fresh class of persistence that survives a clean-looking code review. Hunt for node/python/cargo build processes spawning sh/bash/node -e, package-manager process trees writing to ~/.cursorrules or CLAUDE.md (especially with zero-width code points U+200B/U+200C/U+FEFF present), unexpected systemd unit or crontab writes from build runners, and GitHub Gist POST from CI. Pin exact versions, verify lockfile hashes, and run installs with --ignore-scripts where feasible.