TrapDoor planted 34 malicious packages on npm, PyPI, and Crates.io, and injected poisoned AI config files into repos to weaponize Claude Code and Cursor.
34 malicious packages hit npm, PyPI, and Crates.io simultaneously in the TrapDoor supply-chain attack. Attackers are also injecting poisoned CLAUDE.md and .cursorrules files into popular open-source repos to weaponize AI coding assistants.
Key facts
- 34 malicious packages across npm, PyPI, Crates.io
- Targets crypto, AI, security developers
- Poisoned CLAUDE.md and .cursorrules files
- First known attack weaponizing AI assistants
- Pull requests injected into popular open-source repos
The TrapDoor attack, disclosed by security researcher @kimmonismus, marks the first known coordinated supply-chain attack that weaponizes AI developer tools. The malicious packages target crypto wallet seed phrases, SSH private keys, and cloud credentials from developers in the crypto, AI, and security sectors.
AI config files as attack surface
The novel vector: attackers are submitting pull requests to popular open-source repositories that inject malicious instructions into CLAUDE.md and .cursorrules files. These files are trusted by Claude Code and Cursor respectively as system-level instructions for the AI agent. [According to @kimmonismus] when a developer clones the infected repo and opens it in either tool, the AI agent reads the poisoned config as authoritative and may execute commands that exfiltrate credentials or install backdoors without the developer's awareness.
This is a structural shift from traditional supply-chain attacks, which relied on typosquatting or dependency confusion. Here the attack surface is the AI assistant's trust model — the config files are implicitly trusted because they're part of the project, not because a developer explicitly installed a malicious package.
Broader pattern
The attack follows a pattern observed in recent months. In January 2026, researchers at Socket.dev reported a 340% increase in malicious npm packages targeting AI tooling. What's new is the cross-registry coordination — hitting npm, PyPI, and Crates.io simultaneously — and the AI config file injection, which no prior attack has used at scale.
The 34 packages have been reported to the respective registries, but the pull-request vector is harder to remediate because it exploits the implicit trust model of AI coding assistants. Developers cannot rely on registry takedowns alone; they must audit CLAUDE.md and .cursorrules files in every cloned repo.
What to watch
Watch for registry takedown timelines from npm, PyPI, and Crates.io, and for whether Cursor and Anthropic add warnings when CLAUDE.md or .cursorrules files originate from untrusted repos. Also monitor for copycat attacks using the same config-file vector in the next 30 days.
Originally published on gentic.news
Top comments (0)