TrapDoor Malware Exploits AI Coding Assistants to Steal Crypto and Credentials

The event involves an AI system (AI coding assistants Claude and Cursor) being hijacked by malware to perform malicious actions that result in theft of crypto assets and sensitive credentials. This constitutes direct harm to property and security, fulfilling the criteria for an AI Incident. The malware's use of AI to facilitate the attack and the realized harm from stolen data and crypto assets confirm this classification. The event is not merely a potential risk or a general update but a concrete incident involving AI system misuse causing harm.

The event involves an AI system explicitly: AI coding assistants like Cursor and Claude are manipulated by the malware through hidden instructions embedded in configuration files. This manipulation leads to unauthorized system command execution, which is a direct cause of harm. The harm includes theft of sensitive credentials and digital wallets, which is harm to property and potentially to individuals and organizations. The malware's use of AI system manipulation to achieve these ends means the AI system's use is a contributing factor to the incident. Hence, this is an AI Incident rather than a hazard or complementary information.

The event involves AI systems explicitly through the exploitation of AI-powered developer assistants manipulated by prompt injection attacks. The malware's use of AI to bypass security checks and exfiltrate sensitive data directly leads to harm by compromising security credentials and access keys, which constitutes harm to property and potentially to communities relying on these systems. Therefore, this is an AI Incident because the AI system's misuse directly causes realized harm through data theft and security breaches.

The event explicitly involves AI systems (AI coding assistants Claude and Cursor) being manipulated through prompt injection to perform malicious workflows that steal secrets. This is a direct use of AI systems in the attack chain leading to realized harm (credential theft, exposure of private keys, and compromise of crypto infrastructure). The harm is materialized and significant, affecting property and communities within the crypto ecosystem. Therefore, this qualifies as an AI Incident because the AI system's use is pivotal in the harm caused.

The TrapDoor malware campaign involves AI-assisted methods to enhance its reach and effectiveness, including prompt injection attacks on AI coding assistants, which are AI systems. The campaign has directly led to theft of sensitive data and compromise of developer infrastructure, causing harm to property and communities in the crypto and AI sectors. The AI system's role is pivotal in both the malware's development and its exploitation of AI tools, fulfilling the criteria for an AI Incident rather than a hazard or complementary information.