thecybersecguru.com via Reddit

TrapDoor poisons npm, PyPI with AI config file attack

anthropic cursor cybersecurity coding tools open source cybersecurity supply-chain ai-coding

Key insights

  • Socket.dev identified 36 malicious packages spread across npm, PyPI, and Crates.io in a single coordinated TrapDoor campaign.
  • Crypto, DeFi, AI tooling, and security developers are the specifically named target communities, not general software teams.
  • Hidden Unicode characters in .cursorrules and CLAUDE.md instruct AI agents to run credential-harvesting commands without user prompts.

Why this matters

Socket.dev confirmed 36 malicious packages distributed across npm, PyPI, and Crates.io in a single coordinated campaign, with crypto, DeFi, AI, and security developers as the named target communities. The attack embeds hidden Unicode characters inside .cursorrules and CLAUDE.md files, turning AI coding assistant configuration into a silent credential-harvesting layer that executes during normal repository processing. Any team relying on Cursor or Claude Code that ingests third-party packages is exposed to an attack surface that traditional dependency scanners are not designed to inspect. The Pentagon's concurrent designation of Anthropic as a supply chain risk, alongside White House approval for Claude use at the NSA, means institutional confidence in AI tooling is being tested at exactly the moment package-level threats targeting those same tools are confirmed at scale.

Summary

TrapDoor has compromised 34 packages across npm, PyPI, and Crates.io in the first coordinated attack to hit all three major registries at once. Hidden Unicode characters injected into .cursorrules and CLAUDE.md config files silently redirect AI coding tools like Cursor and Claude Code to run credential-harvesting commands, while developers see normal output. Essentially: (LangChain, LlamaIndex, MetaGPT) repositories were also targeted via pull requests seeding malicious AI governance files, extending the blast radius beyond direct package installs. - 21 npm packages, 7 PyPI, 6 Crates.io affected, discovered May 22 - Injected Unicode is invisible to standard code review and most security scanners - Any developer whose AI agent processed the poisoned PRs is potentially compromised AI coding assistant configuration files are now a confirmed attack vector, not just the packages those assistants help install.

Potential risks and opportunities

Risks

  • Developers at firms using LangChain, LlamaIndex, or MetaGPT who processed the poisoned PRs before May 22 may have had credentials silently harvested with no visible indicator of compromise
  • Enterprise security teams relying on AI coding assistants face an immediate audit burden across all .cursorrules and CLAUDE.md files in active repositories, with no established tooling to automate Unicode-injection detection
  • npm, PyPI, and Crates.io maintainers face customer pressure to ship Unicode-injection scanning infrastructure within 30 to 60 days, a non-trivial change that smaller registries like Crates.io are least equipped to absorb quickly

Opportunities

  • Supply-chain security vendors including Chainguard, Socket.dev, and Snyk are positioned to offer AI config file integrity checks and Unicode-injection scanning as a new product line with immediate demand
  • Anthropic and Cursor can differentiate their coding assistants by shipping cryptographically verified or sandboxed config file handling before competitors respond to the TrapDoor disclosure
  • Enterprise security consultancies such as Trail of Bits and NCC Group can establish AI configuration audits as a billable service line targeting development teams already running coding assistants in production

What we don't know yet

  • Whether Anthropic, Cursor, or the three affected registries have published package blocklists or signed config file requirements as of May 24
  • Attribution behind TrapDoor remains unconfirmed, with no threat actor group or nation-state affiliation identified in public reporting
  • How many developers pulled affected packages or had AI agents process the malicious PRs before discovery on May 22, and whether any credential exfiltration has been confirmed

What others are reporting

Coverage cluster as of 26h after publish

  1. socket.dev Read →

    Socket.dev is the primary investigative source, supplying the 36-package count and naming the four targeted developer communities absent from the secondary coverage.

    TrapDoor crypto stealer hits 36 malicious packages across npm, PyPI, and Crates.io, targeting crypto, DeFi, AI, and security developers.

Originally reported by thecybersecguru.com

Read the original article →

Original headline: TrapDoor Supply-Chain Attack Targets npm, PyPI, and Crates.io With Novel AI-Assistant Poisoning — Hidden Unicode Injected Into .cursorrules and CLAUDE.md Config Files