TrapDoor Supply Chain Attack: AI Assistants Become New Attack Surface
TL;DR · AI Summary
The TrapDoor supply chain attack uses AI assistant configuration files as an attack vector, stealing developer credentials via malicious packages and PR injection.
Key Takeaways
- 34 malicious packages target crypto, AI, and security developers to steal wallet
- Attackers submit PRs to open-source repos injecting CLAUDE.md and .cursorrules f
- AI assistants become a new attack surface; when developers use Claude Code or Cu
Outline
Jump quickly between sections.
The TrapDoor attack simultaneously affects npm, PyPI, and Crates.io, targeting developer credentials.
Attackers inject malicious config files through pull requests to manipulate AI assistants.
Involves 34 malicious packages affecting crypto, AI, and security developers.
AI assistants are used as a new attack surface, executing unauthorized actions after reading malicious configs.
Review suspicious PRs and config file changes in open-source projects, strengthen code audits.
Mindmap
See how the topics connect at a glance.
查看大纲文本(无障碍 / 无 JS 友好)
- TrapDoor供应链攻击
- 攻击目标
- npm
- PyPI
- Crates.io
- 攻击手段
- 恶意包
- PR注入
- AI助手风险
- CLAUDE.md
- .cursorrules
Highlights
Key sentences worth saving and sharing.
34 malicious packages target crypto, AI, and security developers to steal wallets, SSH keys, and cloud credentials.
Attackers submit PRs to open-source repos injecting CLAUDE.md and .cursorrules files to manipulate AI assistants.
When developers use Claude Code or Cursor, AI assistants may execute malicious commands without their awareness.
New: attackers are also submitting pull requests to https://t.co/LrTBfttAgr" / X
A coordinated supply chain attack called "TrapDoor" just hit npm, PyPI, and Crates. io simultaneously, 34 malicious packages targeting crypto, AI, and security developers to steal wallets, SSH keys, and cloud credentials. New: attackers are also submitting pull requests to popular open-source repos, injecting manipulated CLAUDE.md and .cursorrules config files. When a developer clones the repo and works with Claude Code or Cursor, the AI agent reads those files as trusted instructions, and could execute malicious commands without the developer realizing it. Using AI assistants as the attack surface is new.
Quote
Socket
@SocketSecurity
7h
Replying to @SocketSecurity
More analysis, package details, IOCs, and GitHub-related activity here, including attacker-hosted payload/config infrastructure and PRs attempting to add .cursorrules / CLAUDE.md files to popular AI and developer projects: socket.dev/blog/trapdoor-