TrapDoor poisons npm, PyPI with AI config file attack
Key insights
- TrapDoor is the first campaign to simultaneously compromise npm, PyPI, and Crates.io, targeting 34 packages across all three registries at once.
- Hidden Unicode in CLAUDE.md and .cursorrules files lets attackers redirect AI assistant behavior invisibly, with developers seeing no abnormal output.
- LangChain, LlamaIndex, and MetaGPT repositories were targeted via pull requests, exposing any developer whose AI agent processed those PRs.
Why this matters
AI coding assistant configuration files, widely trusted and rarely audited, are now an active attack surface: any developer using Cursor or Claude Code on a compromised repo may have silently executed credential-harvesting commands. The cross-registry scope forces security teams to monitor npm, PyPI, and Crates.io simultaneously rather than treating them as separate threat domains. For AI-native development teams, this invalidates the assumption that CLAUDE.md and .cursorrules are inert config, requiring integrity verification on any file that shapes agent behavior.
Summary
TrapDoor has compromised 34 packages across npm, PyPI, and Crates.io in the first coordinated attack to hit all three major registries at once.
Hidden Unicode characters injected into .cursorrules and CLAUDE.md config files silently redirect AI coding tools like Cursor and Claude Code to run credential-harvesting commands, while developers see normal output.
Essentially: (LangChain, LlamaIndex, MetaGPT) repositories were also targeted via pull requests seeding malicious AI governance files, extending the blast radius beyond direct package installs.
- 21 npm packages, 7 PyPI, 6 Crates.io affected, discovered May 22
- Injected Unicode is invisible to standard code review and most security scanners
- Any developer whose AI agent processed the poisoned PRs is potentially compromised
AI coding assistant configuration files are now a confirmed attack vector, not just the packages those assistants help install.
Potential risks and opportunities
Risks
- Developers at firms using LangChain, LlamaIndex, or MetaGPT who processed the poisoned PRs before May 22 may have had credentials silently harvested with no visible indicator of compromise
- Enterprise security teams relying on AI coding assistants face an immediate audit burden across all .cursorrules and CLAUDE.md files in active repositories, with no established tooling to automate Unicode-injection detection
- npm, PyPI, and Crates.io maintainers face customer pressure to ship Unicode-injection scanning infrastructure within 30 to 60 days, a non-trivial change that smaller registries like Crates.io are least equipped to absorb quickly
Opportunities
- Supply-chain security vendors including Chainguard, Socket.dev, and Snyk are positioned to offer AI config file integrity checks and Unicode-injection scanning as a new product line with immediate demand
- Anthropic and Cursor can differentiate their coding assistants by shipping cryptographically verified or sandboxed config file handling before competitors respond to the TrapDoor disclosure
- Enterprise security consultancies such as Trail of Bits and NCC Group can establish AI configuration audits as a billable service line targeting development teams already running coding assistants in production
What we don't know yet
- Whether Anthropic, Cursor, or the three affected registries have published package blocklists or signed config file requirements as of May 24
- Attribution behind TrapDoor remains unconfirmed, with no threat actor group or nation-state affiliation identified in public reporting
- How many developers pulled affected packages or had AI agents process the malicious PRs before discovery on May 22, and whether any credential exfiltration has been confirmed
Originally reported by thecybersecguru.com
Read the original article →Original headline: TrapDoor Supply-Chain Attack Targets npm, PyPI, and Crates.io With Novel AI-Assistant Poisoning — Hidden Unicode Injected Into .cursorrules and CLAUDE.md Config Files