2026-05-19
HighPrimary34 malicious packages (npm/PyPI/Crates.io) targeting crypto, DeFi, Solana, and AI developers. Novel: planted .cursorrules and CLAUDE.md files with hidden zero-width Unicode instructions to poison AI coding assistants on same machine. Universal AI Agent Extraction Framework. 384 artifact versions.
What happened
TrapDoor packages installed CLAUDE.md and .cursorrules files with hidden zero-width Unicode characters encoding malicious instructions. AI coding assistants on the same machine read these files and followed the hidden instructions — the 'Universal AI Agent Extraction Framework' — harvesting credentials, private keys, and wallet data.
Why it matters
Developer credentials, cryptocurrency private keys, and wallet data harvested from affected developer machines. 34 packages across 384 versions spanning npm, PyPI, and Crates.io. Targeted crypto, DeFi, Solana, and AI developers — high-value credential targets for financial exploitation.
Missing authorization check
AI coding assistants must not automatically trust and execute instructions from CLAUDE.md or .cursorrules files installed by third-party packages. These files should require explicit human review and authorization before the AI assistant acts on them. Zero-width Unicode characters in instruction files should trigger security warnings.
Would PP block it?
If credential access and file reads (private key files, wallet data) required PP receipts, the 'Universal AI Agent Extraction Framework' payload would face an authorization gate before exfiltrating data. Config file source verification requires AI assistant-level controls.
Incident analysis
2026-05-19
TrapDoor campaign begins: 34 malicious packages distributed across npm, PyPI, and Crates.io. Packages install CLAUDE.md and .cursorrules files with hidden zero-width Unicode AI poisoning instructions.
2026-05-22
TrapDoor campaign detected. 384 artifact versions identified and removed from registries. Universal AI Agent Extraction Framework payload documented.
Authorization boundary
This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.
PP's Tool-Call Gate would require receipts for any consequential actions the poisoned AI assistant attempts (credential reads, file exfiltration). It would not prevent the AI from reading poisoned config files — that requires AI assistant-level protections against untrusted instruction files.
Related incidents and controls
Clinejection: Cline CLI 2.3.0 npm Supply Chain Attack Silently Installed OpenClaw on ~4,000 Developer Machines via Prompt Injection and GitHub Actions Cache Poisoning
Mini Shai-Hulud supply chain worm compromises TanStack, Mistral AI, and 170+ npm/PyPI packages via GitHub Actions cache poisoning
Start small
This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.