34 malicious packages are rewriting your AI coding assistant

Socket's research team disclosed TrapDoor on May 24, 2026: 34 malicious packages across npm, PyPI, and Crates.io, with 384+ versions actively stealing developer credentials. The campaign's distinguishing feature isn't the malware — it's that the npm payload writes .cursorrules and CLAUDE.md files to hijack AI coding agents. In the same week, the Laravel-Lang compromise forced 700+ package versions to ship malicious code, exposing a hard truth: version pinning alone isn't supply-chain defense.

What You Need to Know: Socket identified TrapDoor — 34 malicious packages and 384+ versions across npm, PyPI, and Crates.io — targeting crypto, DeFi, Solana, Sui, Move, and AI developer communities. The npm packages deploy a trap-core.js payload that harvests credentials, validates AWS and GitHub tokens, attempts SSH-based lateral movement, and writes .cursorrules and CLAUDE.md files to weaponize AI coding assistants. Separately, the Laravel-Lang compromise rewrote every git tag across four Composer packages in a 90-minute window, weaponizing version pinning itself. The earliest observed package was eth-security-auditor@0.1.0 on PyPI, uploaded May 22 at 20:20 UTC.

Why It Matters

• AI coding agents are now a supply-chain attack surface. The TrapDoor payload explicitly targets .cursorrules and CLAUDE.md to inject prompt-injection instructions into AI development environments.
• Credential validation is a real attack step. TrapDoor's npm malware calls AWS and GitHub APIs to validate stolen tokens before exfiltration — this isn't spray-and-pray.
• Version pinning failed the Laravel-Lang test. The attacker force-pushed every git tag across four packages, so composer require with a pinned version constraint pulled a malicious commit.
• Postinstall hooks, build.rs scripts, and import-time remote code execution are three different kill chains. TrapDoor uses all three across npm, PyPI, and Crates.io.
• The PRs to upstream projects are the long tail. The same ddjidd564 GitHub account opened PRs to browser-use/browser-use, langchain-ai/langchain, langflow-ai/langflow, run-llama/llama_index, FoundationAgents/MetaGPT, and OpenHands/OpenHands to spread .cursorrules files.

What Actually Happened

TrapDoor — The Cross-Ecosystem Campaign

Socket's research team identified an active crypto-stealer supply chain attack spanning npm, PyPI, and Crates.io. The campaign, which Socket tracks as TrapDoor, spans more than 34 malicious packages and 384+ related versions and artifacts. The earliest package observed was the PyPI package eth-security-auditor@0.1.0, uploaded May 22, 2026 at 20:20:18 UTC, with the wheel published at 20:22:04 UTC. The packages were then published in waves by a handful of accounts and actively updated throughout the weekend. The campaign targets developers in crypto, DeFi, Solana, Sui, Move, and AI communities. (Socket blog)

The Package Names

Socket published the full list. npm packages: async-pipeline-builder, build-scripts-utils, chain-key-validator, crypto-credential-scanner, defi-env-auditor, defi-threat-scanner, deployment-key-auditor, dev-env-bootstrapper, eth-wallet-sentinel, llm-context-compressor, mnemonic-safety-check, model-switch-router, node-setup-helpers, project-init-tools, prompt-engineering-toolkit, solidity-deploy-guard, token-usage-tracker, wallet-backup-verifier, wallet-security-checker, web3-secrets-detector, workspace-config-loader. PyPI: cryptowallet-safety, data-pipeline-check, defi-risk-scanner, env-loader-cli, eth-security-auditor, git-config-sync, solidity-build-guard. Crates.io: move-analyzer-build, move-compiler-tools, move-project-builder, sui-framework-helpers, sui-move-build-helper, sui-sdk-build-utils. The names are crafted to look like development helpers, project setup tools, model routing utilities, prompt engineering packages, Solidity tooling, and Sui/Move build helpers. (Socket blog)

What TrapDoor Steals

SSH keys, Sui/Solana/Aptos wallet data, AWS credentials, GitHub tokens, browser profile data, browser login databases, crypto wallet extension data, environment variables, API keys, and local development configuration files. Stolen SSH keys enable lateral movement; cloud and GitHub credentials expose repositories, CI/CD systems, private packages, and deployment environments. The npm payload trap-core.js is a 1,149-line credential harvester and propagation tool that scans for credentials, validates stolen credentials using AWS and GitHub API calls, and preserves access through .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd services, cron jobs, and SSH-based propagation. (Socket blog)

The AI Coding Assistant Hijack

One of TrapDoor's most unusual features is its use of AI-targeted injection through files such as .cursorrules and CLAUDE.md. These files are commonly used to provide project-specific instructions to AI coding tools. The attacker plants hidden instructions using zero-width Unicode characters, attempting to trick AI assistants into running a "security scan" or similar workflow that causes secret discovery and exfiltration. The hosted GitHub Pages site also supports this workflow: packages point to an attacker-controlled URL that attempts to prompt an AI assistant into running a security scan, designed to collect and exfiltrate sensitive local data. (Socket blog)

The Crates.io Wallet Keystore Exfiltration

The Crates.io packages use build.rs, which runs automatically during the Rust build process. The malicious build script searches for local keystores, encrypts the data using a hardcoded XOR key (cargo-build-helper-2026), and exfiltrates it to GitHub Gists. The use of build.rs is significant because it allows code execution during package compilation, before the developer directly runs any package functionality. For crypto developers working with Sui and Move tooling, this creates a high-risk path for wallet and keystore theft. (Socket blog)

Laravel-Lang — When Version Pinning Fails

The Laravel-Lang supply chain attack hit between May 22–23, 2026. An attacker force-pushed every git tag across four Composer packages — laravel-lang/http-statuses, laravel-lang/lang, and others in the Laravel-Lang organization — to malicious commits in a 90-minute window. Anyone running composer require laravel-lang/http-statuses or composer update against any version constraint pulled a payload that exfiltrated credentials. The total impact: 700+ versions across the four packages backdoored, with the attacker triggering PHP stealers that exfiltrated CI credentials. Phoenix Security's analysis classified it as an "RCE backdoor introduced by force-pushing every git tag" — no CVE, no version that was actually safe. (The Hacker News, Phoenix Security)

The Take

Two stories, one shared structural failure. TrapDoor shows what happens when attackers get organized across package ecosystems — three different kill chains (postinstall, build.rs, import-time remote JS), credential validation, lateral movement, and now AI-coding-assistant hijack. Laravel-Lang shows that the most common supply-chain defense in PHP — pin a specific version — is exactly what the attacker exploited, because git tags are mutable. For builders, the implication is direct: package-lock.json and composer.lock are necessary but not sufficient; you need signed commits, registry-side attestations (Sigstore, npm provenance), and runtime scanning that flags postinstall and build.rs anomalies. For the AI coding agent side, treat .cursorrules and CLAUDE.md files as untrusted input — review every one, and never let an agent execute a "security scan" against your own machine without explicit confirmation. The attacks that succeed in 2026 are the ones that turn your own defensive tools into the attack surface.

Quick Summary

Socket's TrapDoor campaign — 34 malicious packages, 384+ versions, npm + PyPI + Crates.io — explicitly targets AI coding assistants by writing .cursorrules and CLAUDE.md files with hidden prompt-injection. The Laravel-Lang compromise rewrote 700+ git tags in 90 minutes, defeating version pinning. Pin dependencies, but verify with commit signatures, registry attestations, and runtime scanning — and treat AI assistant config files as untrusted input.

Sources

• TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages (Socket)
• Laravel-Lang PHP Packages Compromised to Deliver Cross-Environment Malware (The Hacker News)
• Laravel Lang Composer Compromise: 700+ Tags Backdoored (Phoenix Security)
• All repository tags have been rewritten to point to malicious commits (GitHub issue)
• TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware (The Hacker News)