The campaign — researchers call it TrapDoor — seeded more than 34 packages and 380-odd versions across npm, PyPI, and Crates.io, with the earliest upload (a PyPI package posing as a crypto security auditor) traced to May 22. The names all dress up as crypto, AI-tooling, or local-setup helpers. Execution rides each ecosystem's native hook: a `build.rs` in Rust, a `postinstall` in npm, import-time code in Python. What it grabs is the usual high-value haul — SSH keys, cloud credentials, GitHub tokens, browser profiles, and a long list of wallet formats. The novel part is what it does to your tools. The shared npm payload drops a `.cursorrules` and a `CLAUDE.md` stuffed with instructions hidden in zero-width Unicode, written to talk an AI coding assistant into running a fake "security scan" that quietly exfiltrates secrets. The operators even opened pull requests on real open-source repos to slip the poisoned config in under titles like "docs: add .cursorrules with dev standards." If you run agents in CI or let one loose on an untrusted checkout, this is the week to audit what your assistant is actually allowed to execute. Socket says it caught most uploads inside six minutes — the packages still move faster than the registries do.