TrapDoor Campaign Targets AI Coding Tools with Malicious Packages

A new TrapDoor campaign targets developers using AI coding assistants, distributing malicious packages across npm, PyPI, and Crates.io registries. Socket Security detected 34 malicious packages with a median detection time of 5 minutes and 27 seconds.

TrapDoor Campaign Targets AI Coding Tools with Malicious Packages
Computer program coding on screen

A coordinated campaign dubbed TrapDoor has distributed malicious packages across major open-source registries, targeting developers who use AI coding assistants. The attack weaponizes the editor environment rather than the package registry itself, injecting hidden instructions into project files to steal sensitive data from connected machines.

Attackers weaponize editor environments to steal sensitive data from connected machines.

The campaign specifically targets workflows involving tools like Cursor and Claude. Attackers plant specially crafted .cursorrules and CLAUDE.md files that contain zero-width Unicode characters. These invisible markers carry exfiltration commands designed to be executed by the AI assistant when it processes the project context.

Socket Security detected thirty-four distinct malicious packages during the campaign. By the time the security firm published its findings, 384 versions of these packages had been pushed across npm, PyPI, and Crates.io. The payloads are designed to steal cryptocurrency wallets, SSH keys, cloud credentials, AWS tokens, GitHub access data, and browser session information.

The attack methodology relies on testing against real-world repositories using BrowserUse, LangChain, and LangFlow. Pull requests containing the poisoned files were submitted to these projects to validate that the AI assistants would process the hidden instructions. The strategy focuses on leveraging the trust developers place in their automated coding tools to bypass traditional security perimeters.

Socket Security reported a median detection time of five minutes and 27 seconds for the malicious activity. This rapid identification highlights the effectiveness of monitoring editor-level interactions rather than solely scanning package downloads. The campaign demonstrates how attackers are shifting focus from supply chain injection in registries to runtime exploitation within developer environments.

The timing of the attacks appears to be intentional, with incidents concentrated on weekends. This strategy likely aims to reduce the likelihood of immediate detection by security teams who operate primarily during standard business hours. The deliberate scheduling suggests a coordinated effort designed to maximize data exfiltration before defenses can respond.

Discussion

0 comments

Log in to join the thread with a thoughtful take, question, or correction.

Add to the discussion