Cybersecurity lab SlowMist has issued an emergency security warning under the code SM-2026-352284. According to the official statement, an active cross-registry supply chain attack has been detected, targeting creators of Web3 and AI products.
Hackers injected more than 34 malicious packages and 384 associated versions into the largest repositories, including npm, PyPI and Crates.io, directly targeting developers in the Solana, DeFi, and AI ecosystems.
The incident is unfolding against the backdrop of April’s anti-record, when the DeFi sector lost an unprecedented $635 million across 28 hacks. Although the scale of direct smart contract exploits declined in May, SlowMist telemetry shows a fundamental change in attacker tactics.
Threat actors have moved their focus from attacking protected servers to covertly compromising engineers’ personal devices.
How TrapDoor hijacks “vibe coding”
SlowMist’s analysis showed that TrapDoor is designed for full compromise of developer workstations. The malware steals crypto wallets, cloud tokens such as AWS and GitHub credentials, and access keys, sending them to addresses controlled by the attackers.
Conceptually, the scheme repeats the logic of the well-known npm worm “Mini Shai-Hulud”.
To maintain covert persistence in the system, the payload writes itself directly into AI assistant configuration files such as .cursorrules and CLAUDE.md, while also hiding inside Git hooks and automation scripts. In repositories, the software is disguised as AI plugins and build utilities for Sui and Move.
You Might Also Like
The incident is worsened by the trend of “vibe coding”, where engineers assemble projects through prompts and blindly connect dozens of nested libraries. As a result, AI agents automatically download malicious code onto machines where smart editors have direct access to local configuration files.
Due to the critical status of the threat, SlowMist instructs teams to immediately remove the affected packages, isolate infected systems, preserve logs and launch a three-stage remediation protocol:
- AI configuration audit: Manually inspect local .cursorrules and CLAUDE.md files for third-party or anomalous instructions.
- Total credential rotation: Force-revoke and reissue all encryption keys, cloud tokens and GitHub secrets used on the devices.
- Full environment rebuild: Purge and reset build environments, then fully reinstall developer work environments from fresh system images.
