TrapDoor Supply Chain Attack Targets Developers and AI Coding Assistants

The modern software development lifecycle is undergoing a paradigm shift. With the rise of “vibe coding” and the integration of AI-powered assistants like Cursor and Claude Code directly into IDEs, developers are shipping code faster than ever before. However, this hyper-acceleration has created a massive, blind-spot-ridden attack surface. On May 22, 2026, developer security platform Socket uncovered a highly sophisticated, cross-registry supply chain attack codenamed TrapDoor. This campaign did not just seek to compromise traditional server infrastructure; it represents a pioneering class of threat designed to poison localized development environments, siphon high-value Web3 assets, and systematically hijack the AI coding agents that developers trust with their codebases.

The Anatomy of a Multi-Registry Supply Chain Attack

Unlike isolated incidents of typosquatting, the TrapDoor campaign represents a highly coordinated, multi-ecosystem onslaught. Threat actors managed to seed at least 34 malicious packages spanning over 384 downstream versions and artifacts simultaneously across three major developer package repositories: npm, PyPI, and Crates.io. The earliest activity was flagged with the publication of the PyPI package eth-security-auditor@0.1.0 on May 22, 2026, at