TrapDoor Supply Chain — .cursorrules and CLAUDE.md Hijack AI Assistants
AI relevance: Attackers are weaponizing AI-assistant config files (.cursorrules, CLAUDE.md) injected via supply-chain packages and open-source PRs to trick AI coding agents into running hidden credential-scanning commands — a novel agent-tooling attack path.
Overview
The TrapDoor campaign, first reported by Socket, is a coordinated cross-ecosystem supply-chain attack spanning 34+ malicious packages across npm, PyPI, and Crates.io with 384+ published versions. The earliest activity was recorded on May 22, 2026, at 20:20 UTC. The campaign targets developers in crypto, DeFi, Solana, and AI communities.
Attack Details
- npm packages execute a shared JavaScript payload (
trap-core.js) via postinstall hooks that scans for credentials, validates AWS and GitHub tokens, attempts SSH lateral movement, and establishes persistence through.cursorrules,CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH. - Rust crates (Crates.io) use malicious
build.rsscripts to search local keystores, encrypt data with a hardcoded XOR key, and exfiltrate to GitHub Gists — targeting Sui and Move developers. - Python packages (PyPI) auto-execute on import, download JavaScript from an attacker-controlled GitHub Pages domain, and delegate execution via
node -e— allowing behavior updates without republishing. - .cursorrules / CLAUDE.md injection: The attacker opened pull requests across popular AI projects (including
browser-use/browser-use,langchain-ai/langchain,langflow-ai/langflow) containing hidden instructions in AI config files that trick AI coding assistants into running a "security scan" that discovers and exfiltrates secrets. - This represents the first documented case of weaponizing AI assistant configuration files as a supply-chain attack vector — turning legitimate open-source contribution workflows into agent hijack delivery mechanisms.
Why It Matters
TrapDoor demonstrates that AI assistant config files are now an attack surface. When AI coding tools parse .cursorrules or CLAUDE.md, they treat instructions in those files as authoritative — exactly the confused-deputy problem that makes prompt injection dangerous, but applied to persistent project configuration rather than ephemeral prompts. Attackers who can plant these files via PRs or poisoned packages gain persistent control over any AI agent that opens the project.
What to Do
- Audit AI config files: Review
.cursorrules,CLAUDE.md,.windsurfrules, and similar files in your repos for suspicious instructions, especially those referencing "security scan", "scan", or credential access. - Pin dependencies: Use lockfiles and audit npm/PyPI/Crates.io dependencies. Watch for packages matching the TrapDoor list published by Socket.
- Monitor PR changes: Add CI checks that flag modifications to AI assistant config files. Treat changes to these files as security-sensitive, like changes to CI/CD workflows.
- Sandbox AI agents: Run AI coding assistants with restricted filesystem access and no access to credential stores (SSH keys, AWS tokens, cloud CLI configs) unless explicitly needed.
- Check Socket's package list: Review the full list of identified packages at socket.dev.