TrapDoor: 34 Malicious Packages Weaponize Your AI Coding Assistant to Steal Crypto Wallets and Cloud Keys
On May 22, 2026, at 20:20 UTC, a PyPI package named eth-security-auditor version 0.1.0 went live. It was the first observed artifact of an active, cross-ecosystem credential theft campaign that Socket is tracking as TrapDoor. By the time researchers published, the campaign spanned 34 malicious packages and more than 384 versions and artifacts across npm, PyPI, and Crates.io, with the attacker repeatedly pushing fresh releases as older ones were taken down.
What Happened in the Wild
TrapDoor masquerades as the exact tooling its target audience installs without a second thought: crypto security auditors, DeFi risk scanners, environment loaders, build helpers, and AI development utilities. The package names are chosen to read as trustworthy. On PyPI the campaign included names like eth-security-auditor, defi-risk-scanner, cryptowallet-safety, and env-loader-cli. On npm it shipped names like eth-wallet-sentinel, web3-secrets-detector, wallet-backup-verifier, and AI themed lures such as prompt-engineering-toolkit, llm-context-compressor, and model-switch-router. On Crates.io it targeted the Sui and Move ecosystems with names like move-project-builder and sui-sdk-build-utils. The Hacker News and Cybersecurity News corroborated the 34 package, 384+ version count across all three registries.
The execution trigger is ecosystem specific, which is what makes the campaign hard to reason about with a single mental model. In npm, the payload fires from a postinstall hook. In Python, it runs at import time. In Rust, it executes through build.rs during the build. Socket also documented ecosystem specific obfuscation, including XOR encryption with a hardcoded key in the Crates.io payloads and Fernet and ECDH cryptography in the npm payload.
Once it runs, the payload harvests cryptocurrency wallet keys and seed phrases, SSH private keys, cloud provider credentials including AWS keys and GitHub tokens, browser stored secrets, and .env files, then exfiltrates everything to attacker controlled infrastructure. There is no CVE for this campaign. There is no NVD entry. The only record is the published research and the registry advisories.
.cursorrules and CLAUDE.md, embedding hidden instructions using zero width Unicode characters. The goal is to trick an AI coding assistant into performing credential discovery and exfiltration on the developer's behalf, framed as if it were a routine security scan.
Why Teams Routinely Miss This Class of Risk
Most exposure programs are still wired to a CVE feed. A scanner matches installed packages against a known vulnerability database, and if there is a match it raises a finding. TrapDoor produces zero matches in that model because there is no CVE to match against. Your software composition analysis tool can run cleanly while a build runner is shipping your AWS keys to an attacker endpoint.
The AI assistant poisoning angle widens the gap further. Security teams reason about dependencies, lockfiles, and install scripts. Very few teams treat .cursorrules or CLAUDE.md as part of the attack surface, yet these files now sit inside the trust boundary of tools that can read source, run commands, and touch credentials. A zero width Unicode payload in one of those files is invisible in a normal editor view and is not something a CVE scanner was ever designed to detect.
There is also a speed problem. Socket measured a median detection time of roughly five and a half minutes from publication, with the fastest detection under a minute, yet the attacker kept republishing. A team that pulls dependencies on a continuous integration runner can install a malicious version inside that window before any takedown lands. Install time execution means the damage is done before a human ever reviews the dependency.
Prioritizing TrapDoor With TRIS
CVSS does not apply here. No CVE means no CVSS vector and no severity number to sort by. This is exactly the gap that TRIS, CVEasy AI's Threat and Risk Intelligence Scoring engine, is built to close. TRIS weighs multiple intelligence layers independently of CVE database coverage. Three of those layers drive TrapDoor to the top of the queue.
Active exploitation. Confirmed and ongoing. Multiple independent research teams documented live malicious packages still being republished at the time of reporting. This is not theoretical.
Blast radius. The payload targets cloud credentials, GitHub tokens, SSH keys, and crypto wallet material. A single compromised continuous integration runner with cloud IAM access or a secrets manager token is a direct lateral movement path into production. The AI assistant poisoning extends the blast radius to the developer's local environment and any credential the assistant can reach.
Real exposure beyond raw severity. A developer laptop that installed one package is serious. A pipeline runner with cloud keys, code signing material, or registry publish rights is critical. TRIS separates these tiers using your actual package inventory and environment context, rather than treating every install as equal.
Remediation Steps
1. Audit your manifests immediately. Search package.json, package-lock.json, requirements.txt, poetry.lock, and Cargo.toml across every repository and developer machine for any of the campaign package names. Remove any match and treat the host as compromised until proven otherwise.
2. Inspect AI assistant config files for hidden content. Open .cursorrules and CLAUDE.md files in a viewer that reveals zero width and non printing Unicode characters. Any unexpected instruction text, especially content framed as a security scan or credential discovery task, indicates tampering. Restore these files from a known clean source.
3. Rotate every credential the affected environment could reach. Do not wait for confirmed exfiltration evidence. If a package installed, the payload ran. Rotate AWS, GCP, and Azure keys, GitHub and GitLab tokens, SSH private keys, secrets manager and Vault tokens, and any cryptocurrency wallet keys or seed phrases that were present on the host.
4. Audit pipeline logs from May 22, 2026 onward. Review continuous integration and build logs for installs of the named packages and for unusual outbound network connections from runner processes. Cloud flow logs and SIEM detections on outbound data from build infrastructure are your primary signal sources.
5. Pin dependencies and harden install. Pin critical dependencies to verified versions or commit references, disable install scripts where your workflow allows it, and monitor npm, PyPI, and Crates.io advisories for additional packages, since the campaign was still active at the time of reporting. See The Block for ecosystem context across Aptos, Sui, and Solana.
How CVEasy AI Surfaces and Ranks This
No CVE means no NVD trigger, and no NVD trigger means silence from any tool that depends on CVE feed ingestion. CVEasy AI, the number one local-first CTEM platform, ingests threat intelligence well beyond NVD, including package ecosystem compromise feeds and confirmed exploitation reports from research teams such as Socket. When a campaign like TrapDoor is confirmed, CVEasy AI matches the malicious package names against your environment's installed inventory and scores the exposure with TRIS the moment the intelligence lands, without waiting for a CVE number that may never be assigned.
If your inventory includes any affected package, TRIS flags it at the highest priority tier and generates a remediation workflow built for this attack class: manifest cleanup, AI assistant config inspection, and credential rotation, rather than a version bump that does not exist. Local-first architecture matters here because your package inventories, lockfiles, and pipeline metadata never leave your hardware. TrapDoor is a clean illustration of the core thesis: the most dangerous supply chain attacks are the ones that never get a number, and a CVE-only program will never see them.
Sources: Socket, The Hacker News, Cybersecurity News, The Block, GBHackers