All Insights

TrapDoor: Attackers Are Now Using Your AI Coding Assistant to Steal Your Credentials

CivSafe Team·May 27, 2026·6 min read

Something new dropped last weekend that every dev team using AI coding tools needs to understand. It's called TrapDoor, it was named publicly by Socket Security on May 25th, and it's the first supply chain campaign we've seen that deliberately weaponizes your AI coding assistant against you.

Not a vulnerability in the AI tool itself. The AI tool worked exactly as designed. That's what makes this one worth a close look.

What Actually Happened

TrapDoor is a coordinated package campaign that hit npm, PyPI, and Crates.io all at once — 34 malicious packages, 384+ versions, first uploads logged at May 22 at 8:20 PM UTC. The packages posed as generic developer utilities and security scanners. Crypto and AI developer communities were the primary targets.

The credential theft layer is familiar enough: install a package, a JavaScript or Python payload runs, it sweeps your machine for AWS credentials, GitHub tokens, SSH keys, browser login databases, wallet keystores (Sui, Solana, Aptos), environment variables, and API keys. It validates what it found against live AWS and GitHub APIs, then exfiltrates. It also plants cron jobs, systemd services, and Git hooks to persist across reboots.

That's supply chain as usual.

What isn't usual is what it does next.

The AI Poisoning Layer

After the payload runs its standard credential sweep, it drops two files into your project directory: .cursorrules and a context file that popular AI coding assistants read at startup as project instructions.

These files contain hidden instructions — embedded using zero-width Unicode characters, invisible to the naked eye, invisible to most text editors, but perfectly legible to AI assistants that parse them as plaintext.

The instructions tell your AI assistant to run a "project security scan." They look like legitimate internal tooling notes. The AI reads them, trusts them (because they're in the project context, which it's designed to treat as authoritative), and executes the scan — which turns out to be another pass at credential discovery and exfiltration.

You never see a suspicious command. Your terminal doesn't flash anything unusual. Your AI assistant just quietly does what the hidden instructions told it to do.

To make it worse, the campaign also opened pull requests against popular open-source AI and developer projects — browser-use, LangChain, Langflow — trying to merge the poisoned context files into those repos. If a maintainer merged one of those PRs without noticing the hidden Unicode, every developer who cloned that repo would have the instructions baked into their project.

Why This Matters for Your Team Specifically

If your dev team uses any AI coding assistant that reads local project context files — and at this point, most of them do — then your project directory has become part of your threat model. Not just your code. Not just your dependencies. The instruction files that tell your AI what it's working on.

Most small teams have no process for auditing those files. They get created, they accumulate, and no one reviews them for zero-width Unicode characters that a human eye can't see.

The credentials at risk here aren't theoretical. AWS access keys in a developer's environment often have broad permissions — staging, production, the whole cloud estate. GitHub tokens for a 10-person shop frequently have org-level write access. SSH keys sitting in .ssh/ unlocked without a passphrase can jump to every server in your infrastructure.

Socket caught TrapDoor fast — median detection time of 5 minutes 27 seconds per package. But that's Socket's tool doing its job. Most teams aren't running Socket. Most teams are running npm install from a README they found on GitHub and trusting the package list in their package.json.

What to Actually Do

Check your project context files right now. Open .cursorrules, any .md files in your project root that your AI tools read, and any AI instruction files in your repo. Look for anomalies. Better yet: pipe them through a Unicode visualizer or run cat -A in your terminal. Zero-width characters show up as ^@ or similar escape sequences that shouldn't be in plain English prose.

Audit your recent installs. Check npm, pip, and cargo installs from the last two weeks against the TrapDoor package list, which Socket has published. If you installed anything in the crypto-utils, solana-dev-tools, or generic "security scanner" categories from unknown maintainers, investigate those first.

Rotate credentials if anything looks suspicious. AWS, GitHub, SSH — rotate them now rather than after confirming a breach. The marginal cost is low; the alternative is potentially high.

Add dependency scanning to your CI. Socket, Snyk, and GitHub's built-in dependency review all catch typosquatted and malicious packages before they land. At the scale of a 5–30 person team, this is a half-day setup, not a project. We've done it for clients in a single sprint session.

Stop treating AI context files as trusted by default. Your AI assistant will execute instructions in .cursorrules, GitHub Copilot instructions files, and similar contexts. Those files should be version-controlled, reviewed in PRs like any other code, and audited when they change unexpectedly. The tooling doesn't do this for you yet — you have to build the habit.

Don't run AI coding tools with ambient cloud credentials in scope. If your terminal session has AWS credentials loaded and your AI assistant has broad file system access, that's a single malicious context file away from a bad day. Use short-lived credentials, rotate frequently, and scope down permissions in dev environments.

The Bigger Pattern

TrapDoor is the first documented campaign to explicitly weaponize AI coding tools as an execution layer. It won't be the last.

The reason it works is that AI assistants are designed to be helpful and context-aware. They read local files, they trust project-specific instructions, they execute tasks they're asked to execute. That's the point. The attack just figured out how to write those instructions in a way humans can't see.

As AI coding tools become standard infrastructure — and they already are in most active dev shops — the instruction files they read become attack surface. They need the same scrutiny as your dependency list, your CI config, and your Dockerfile.

The teams that understand this now will have better hygiene heading into the next campaign. The teams that don't will find out the hard way that their AI assistant's helpfulness runs both directions.


We help small teams build practical security practices around AI tooling — the kind that actually get followed, not the kind that live in a PDF. If TrapDoor-style attacks are a concern for your team, let's talk.

CivSafe — Strategic Innovation. Community Impact.