/Tech36d ago

TrapDoor supply chain attack poisons CLAUDE.md and .cursorrules files to hijack Claude Code and Cursor agents

The attack steals developer wallets, SSH keys, and credentials.

20241327930.2K

#1360

Original post

Chubby♨️@kimmonismus#1360inTech

A coordinated supply chain attack called "TrapDoor" just hit npm, PyPI, and Crates. io simultaneously, 34 malicious packages targeting crypto, AI, and security developers to steal wallets, SSH keys, and cloud credentials.

New: attackers are also submitting pull requests to popular open-source repos, injecting manipulated CLAUDE.md and .cursorrules config files.

When a developer clones the repo and works with Claude Code or Cursor, the AI agent reads those files as trusted instructions, and could execute malicious commands without the developer realizing it.

Using AI assistants as the attack surface is new.

Socket@SocketSecurity

More analysis, package details, IOCs, and GitHub-related activity here, including attacker-hosted payload/config infrastructure and PRs attempting to add .cursorrules / CLAUDE.md files to popular AI and developer projects:

https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates

9:24 AM · May 24, 2026 · 28.8K Views

Sentiment

Sentiment building, check back later.

Cluster Engagement

Digg Deeper

No Digg Deeper questions have been answered for this story yet.

SOCKET.DEVVia

Posts from X

Most Activity

VIEWS1.2KBOOKMARKS1LIKES13REPLIES1

xlr8harder@xlr8harder

All this credential stealing stuff is sort of making me want to make a key-holding VPS that i proxy requests through and block to my dev machine IP.

Socket@SocketSecurity

🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.io.

Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems.

TrapDoor targets #crypto, #DeFi, AI, and security developers, stealing wallets, SSH keys, cloud credentials, GitHub tokens, browser data, env vars, and API keys.

Socket detected releases with a median detection time of 5 minutes, 27 seconds. The fastest detection occurred 58 seconds after publication.

36d1.2K131

Giordano Randone@giordanorandone

@kimmonismus Seems like Mythos is already being used quite actively. 🙃

36d1531

xlr8harder@xlr8harder

like fundamentally the same problem as "my agent might get prompt injected so don't trust it with the keys" except it's all of open source

xlr8harder@xlr8harder

All this credential stealing stuff is sort of making me want to make a key-holding VPS that i proxy requests through and block to my dev machine IP.

36d25820

Chubby♨️@kimmonismus

@giordanorandone brace yourself, mythos is coming :D

36d1462

Mr Opp@MisterOptical

@kimmonismus AI Warfare..

36d931

Vismay Shrouty@BuildZaFuture

@kimmonismus It seems OSS community much need the Mythos than the proprietary companies in the project glasswing (though they include some of em, like ffpeg, openbsd...)

36d641

Alex UGift@Radipdegen

@kimmonismus ngl i check every dep manually now and its a nightmare

feels like we’re back to 2017 npm hell but worse

36d531

Eclipse 🌖@ECLresearch

@kimmonismus What’s the attack vector for the PRs — typo-squatting the actual maintainer repos or poisoned transitive dependencies?

36d13

Steven Collard@stalmico

@kimmonismus supply chain attacks getting creative with the PRs now

36d7