What Socket Documented
Socket's writeup describes a coordinated package campaign uploaded in waves from a cluster of accounts beginning on May 22, 2026. The first observed artifact was the PyPI package `eth-security-auditor` version 0.1.0, uploaded at 20:20:18 UTC. Releases continued across npm, PyPI, and Crates.io in close succession. Across the records with complete timestamps, Socket reports a median detection-to-upload window of about five and a half minutes, an indicator both of the platform's response speed and of how fast a campaign of this shape can put many artifacts in front of developers.
The package names are written to fit the audience. Crypto, DeFi, Solana, and AI developer communities are the named targets, and the package identifiers impersonate utilities those communities install. The lure is the dependency itself: a developer who searches for a Solana keystore helper or an EVM security utility installs what looks like the right answer, and the code runs.
Execution is the part of the campaign that makes the coordination obvious. Each ecosystem uses its native pre-trust execution point. Rust packages run code through `build.rs` during compilation, npm packages run `postinstall` hooks during installation, and Python packages execute at `import` time. The payload differs in language and surface, but the timing is identical: code runs the moment the developer brings the package into their workspace.
On npm specifically, Socket documents a shared payload named `trap-core.js`, about 48 kilobytes in size. It targets developer secrets, crypto wallet keystores, SSH keys, cloud credentials, browser data, and environment variables, and exfiltrates them out of the workstation. The data set Socket describes is the inventory of a working developer machine, not a casual user one.
The AI-Assistant Twist
The detail worth lingering on is the part that does not fit the usual supply-chain story. Socket and the followup coverage describe TrapDoor packages writing `.cursorrules` and `CLAUDE.md` files into the developer's project tree. Those files are not active code. They are instructions consumed by AI coding assistants to guide how the assistant should behave inside the project: which conventions to follow, which libraries to prefer, which sections of the codebase to treat as authoritative.
The TrapDoor variants documented use zero-width Unicode characters to hide instructions inside those files. A human reviewer opening the rule file sees innocuous prose. The AI assistant consuming the file sees the hidden instructions as part of its working context, and is biased by them when it generates code or suggests fixes.
This is a meaningful expansion of the supply-chain category. A normal malicious dependency runs once at install and steals what it can find. A planted rule file persists in the repository, survives the removal of the malicious package, and influences the assistant's output every time the developer asks for help. If the hidden instructions tell the assistant to use a particular library version, a particular cryptographic configuration, or a particular helper function, the developer can keep adding compromised code into a codebase the attacker no longer needs to be inside.
Why The Pattern Generalizes
The TrapDoor design lets the attacker accept the increasingly fast takedown cadence Socket itself reports. A package observed within minutes and removed shortly after is still useful if the install ran on a single workstation and a rule file landed in a single repository. The dependency's life expectancy is no longer the campaign's life expectancy. The malicious dependency is the carrier; the persistent rule file is the actual implant.
Coordinated cross-ecosystem campaigns also raise the cost of the catalog defense. Many developer organizations rely on a one-registry posture: tightly governed npm dependencies, a Rust dependency review process, and a Python pip workflow that is treated as something interns set up. TrapDoor is uninterested in which registry is paid the most attention. The same campaign delivers payloads via all three. A control program that watches one and skims the others has the same blind spot the attacker is built to exploit.
The targeting of crypto, DeFi, and AI developer communities is operational, not aesthetic. These are workstations that routinely hold SSH keys with access to production infrastructure, cloud credentials for build pipelines, GitHub tokens for downstream repositories, and wallet keys whose loss is liquid. The campaign's payoff is high per successful infection, which is why an attacker is willing to pay the per-package takedown cost.
What To Add to the Defender Picture
The first addition is a CI step that treats AI rule files as code. `.cursorrules`, `CLAUDE.md`, `.clinerules`, `system.md`, and similar files should be reviewed by humans on the way in, scanned for zero-width Unicode and other steganographic content, and committed only through the same pull-request process used for source code. A repository policy that allows arbitrary edits to those files outside of review is a policy the TrapDoor pattern is built to abuse.
The second is dependency-source hygiene at the workstation level, not only at the build server level. Developer workstations that install crypto utilities, Solana helpers, or AI agent libraries from public registries are exactly the surface this campaign was built for. Lockfile review, package age and reputation checks, and dependency provenance verification turn a brand-new package with a familiar name into a question rather than a default install. Our [recent piece on npm staged publishing and install-source controls](/articles/npm-staged-publishing-supply-chain-guardrails) discusses these specifically for npm, and the same posture applies to PyPI and Crates.io.
The third is incident scoping. When a developer is found to have installed a TrapDoor-class package, the response cannot stop at uninstalling the dependency. The cookbook needs to include rotating the credentials reachable from that workstation, scanning every repository the developer has worked in for planted rule files, and reviewing recent assistant-generated code for the influence the planted rules may have had. The dependency is gone faster than ever now, but the secondary artifacts that survive it are the part the attacker actually wants.
A New Shape of Supply Chain
TrapDoor is not the first supply-chain campaign to span ecosystems, and it is not the first to target developers with credentials worth stealing. The new piece is the channel it added on top of the old chain. Code that lands once on a workstation is one risk. Instructions that land once and then influence every future AI-assisted code change is a different risk, and one the existing supply-chain playbook does not address.
For threat trackers, the worth of the record is the pattern, not the package list. The packages are already gone. The next campaign will pick different names. The reusable observation is that AI-assistant rule files are now part of the supply-chain attack surface, and the defenders who notice that first will not be the ones explaining later why a rotated dependency did not end the incident.