On May 22, a cluster of accounts published 34 packages across npm, PyPI, and Crates.io. 384 versions total, all in waves within hours.
The credential theft was standard. The part that wasn't: poisoned .cursorrules and CLAUDE.md files containing zero-width Unicode characters. Invisible to text editors. Readable by AI assistants. The hidden instructions told your coding assistant to run a "security scan" that harvested your SSH keys, cloud credentials, and wallet data.
Three registries at once
Each ecosystem got its own execution vector:
-
npm (21 packages):
postinstallhooks - PyPI (7 packages): auto-execute on import
-
Crates.io (6 packages):
build.rsscripts
The names were engineered for AI suggestion: llm-context-compressor, prompt-engineering-toolkit, wallet-security-checker, defi-risk-scanner. Ask an AI assistant for a prompt management library and it might suggest one of these.
What behavioral scoring says
I ran every TrapDoor package through Commit's audit:
| Package | Ecosystem | Score | Downloads | Age |
|---|---|---|---|---|
| llm-context-compressor | npm | 15 | 42/wk | <1yr |
| prompt-engineering-toolkit | npm | 15 | 35/wk | <1yr |
| model-switch-router | npm | 15 | 42/wk | <1yr |
| workspace-config-loader | npm | 15 | 21/wk | <1yr |
| cryptowallet-safety | PyPI | null | 0/wk | <1yr |
| defi-risk-scanner | PyPI | null | 0/wk | <1yr |
Every package: score 15 or null. No longevity. No community. No release history. No GitHub repo.
A behavioral gate set to block HIGH-risk packages would have stopped all 34 on first install. No CVE lookup. No signature matching.
The AI poisoning angle
This is the threat model shift. Traditional supply chain malware runs in postinstall. TrapDoor's secondary payload runs when your AI assistant reads a file.
The zero-width Unicode instructions direct the assistant to scan for git credentials, VS Code settings, environment variables, and SSH keys. Exfiltration goes through raw.githubusercontent.com and GitHub Pages. Your firewall allows those domains.
Your AI assistant does what the hidden text says because it processes every character in its context window, including the ones you can't see.
What to do
Gate your AI's package installs:
npx proof-of-commitment hook
This intercepts every npm install, pip install, cargo add, and go get from Cursor and Claude Code. Packages below the threshold get blocked before they hit your machine.
For stricter blocking (recommended for crypto/AI teams):
COMMIT_HOOK_SEVERITY_BLOCK=HIGH npx proof-of-commitment hook
Check for poisoned config files:
grep -rP '[\x{200B}\x{200C}\x{200D}\x{FEFF}\x{2060}]' .cursorrules CLAUDE.md **/*.mdc 2>/dev/null
Audit what's already installed:
npx proof-of-commitment --file package-lock.json
TrapDoor is the fifth major supply chain attack in three months. LiteLLM, axios, Shai-Hulud, Miasma, now this. Each one escalates. The entry point keeps changing. The pattern doesn't: packages with zero behavioral history get installed because nothing checks.
Top comments (0)