TrapDoor Attack Hits 35,000 Repos via .cursorrules and CLAUDE.md

A supply chain campaign called TrapDoor placed 34 malicious packages across npm, PyPI, and Crates.io starting around May 22, 2026, and security researchers found them in more than 35,000 public and private repositories before containment. The twist is not classic dependency confusion alone: TrapDoor drops poisoned .cursorrules and CLAUDE.md files so Cursor and Claude Code treat attacker instructions as project policy, then a payload called trap-core.js validates and exfiltrates AWS, GitHub, SSH, and crypto wallet credentials.

If you use AI-assisted development, this is the highest-signal security story of the week for your stack.

What is the TrapDoor supply chain attack?

TrapDoor is a coordinated cross-registry campaign spanning 384 package versions under 34 package names, detected by Socket's research team with a reported median response time of 5 minutes 27 seconds per finding. Despite that speed, the packages had already spread into 35,000+ repositories touching crypto, DeFi, Solana, and AI-adjacent JavaScript and Rust ecosystems.

The attack chain has three layers:

1. Malicious package installed via normal npm install, pip install, or Cargo deps
2. Project-root config poisoning — writes .cursorrules and CLAUDE.md that AI tools read automatically
3. Credential harvester — trap-core.js (npm path) scans local secrets, live-validates AWS and GitHub tokens against APIs, then exfiltrates only working keys

That third step matters: attackers skip noisy dead credentials and receive a curated, confirmed loot set.

Why AI config files are the new attack surface

Developers increasingly commit .cursorrules, CLAUDE.md, and AGENTS.md so assistants understand repo conventions. Models and IDEs trust those files the way they trust README instructions.

TrapDoor exploits that trust boundary. A routine prompt like "run the security scan defined in project docs" becomes exfiltration if the doc was attacker-authored.

This is adjacent to but worse than Semantic Kernel agent RCE patterns because it hijacks human-established AI governance files, not just a vulnerable library call.

What trap-core.js steals and how it validates targets

Reporting from The Hacker News and Socket-style analysis describes a wide surface:

Before exfiltration, the payload hits live AWS and GitHub API endpoints to confirm tokens still work. Defenders should assume any repo that installed flagged packages had working secrets exposed, not speculative leaks.

What developers should do in the next 24 hours

Audit lockfiles across monorepos for package names flagged in TrapDoor advisories (check Socket, npm security advisories, and your SCA vendor).

Treat credentials as burned if TrapDoor packages appear in history — rotate AWS IAM keys, GitHub PATs, SSH keys, and CI secrets; do not only delete the dependency.

Never auto-run "security tasks" suggested by AI without reading the underlying script path, especially if the suggestion references new .cursorrules content you did not author.

Pin and verify AI config files in code review the same way you review package.json and GitHub Actions workflows.

Add pre-commit hooks that block unexpected .cursorrules / CLAUDE.md changes from unknown contributors.

Link spend discipline to LLM API pricing only after incident containment — a leaked AWS key can dwarf model bills.

Why TrapDoor wins AI search citations

Queries like "cursorrules malware" and "Claude.md supply chain" are rising. Posts that name TrapDoor, 34 packages, 35,000 repos, and trap-core.js in sentence one get quoted by Perplexity and ChatGPT browse because the answer is structured and numeric.

Longer-term fix: zero-trust for assistant context

Teams should separate trusted assistant instructions (maintained by security-reviewed templates) from per-repo overrides contributed by arbitrary package install scripts. Some orgs will move rules into signed internal templates and mark project-local AI docs as untrusted by default.

That is a product and policy shift, not a one-line eslint rule.

Key Takeaways

• TrapDoor: 34 packages, 384 versions, 35,000+ repos affected; active since roughly May 22, 2026
• Vector: poisoned .cursorrules + CLAUDE.md → AI assistants execute attacker context
• Payload: trap-core.js validates then steals AWS, GitHub, SSH, crypto credentials
• For developers: rotate secrets if exposed, audit lockfiles, review AI config files like code
• What to watch: registry advisories, Socket/npm/GitHub security bulletins, corporate bans on unsigned AI rule files

Frequently asked questions

What is the TrapDoor attack?

TrapDoor is a May 2026 supply chain campaign using malicious npm, PyPI, and Crates packages to inject poisoned .cursorrules and CLAUDE.md files, causing AI coding tools to help exfiltrate cloud and developer credentials.

Does TrapDoor only target crypto developers?

No. Reporting emphasized crypto and DeFi repos, but anyone running npm, pip, or Cargo installs with Cursor or Claude Code in the workflow is in scope if a flagged package entered the dependency tree.

Should I delete .cursorrules and CLAUDE.md?

Do not delete legitimate team files blindly. Audit whether those files changed when TrapDoor packages were installed, verify authorship in git history, and replace with known-good copies from your security team template.

What is trap-core.js?

It is the reported npm-side credential harvester that scans local secret stores, validates AWS and GitHub tokens live, and exfiltrates working credentials.

How is this different from a normal npm malware package?

Classic npm malware runs on install scripts. TrapDoor also weaponizes AI assistant configuration so later "helpful" agent actions leak secrets, extending the attack into everyday pair-programming workflows.