TrapDoor, VaultJacking, and the AI Agent Security Crisis Reshaping Development

TrapDoor: When Your Dependencies Become the Attack Vector

The open-source ecosystem — the bedrock of modern software development — is under siege. Security researchers at SlowMist and Socket have uncovered TrapDoor, one of 2026's largest cross-platform supply chain attacks, with over 34 malicious packages and 384 infected versions uploaded to npm, PyPI, and Crates.io. The campaign specifically targeted developers building crypto wallets, DeFi protocols, Solana and Sui applications, and AI-related tools.

What makes TrapDoor particularly insidious is its sophistication. The malware disguised its data exfiltration traffic as normal coding activity by routing stolen credentials — SSH keys, AWS credentials, crypto wallets, and API tokens — through GitHub Pages and webhook.site services. Even worse, attackers inserted zero-width characters and prompt injection instructions into code consumed by AI coding assistants like Cursor and Claude Code. This means the malicious behavior could propagate across coding sessions without the developer ever realizing their AI assistant was compromised.

The attack underscores a growing reality: as AI coding tools become standard practice, the supply chain threat model has fundamentally changed. A compromised package no longer just runs malicious code — it can now teach AI agents to replicate that malicious behavior in future sessions, creating a self-sustaining attack vector that traditional dependency scanners weren't designed to catch.

VaultJacking: One PIN, Your Entire Digital Life

On the same day TrapDoor was making headlines, security researchers at Phishu disclosed VaultJacking, a phishing technique that allows attackers to steal an entire Google Password Manager vault with just a single captured 6-digit PIN. No malware required. No prior device access needed.

The attack exploits Google's cross-device credential synchronization architecture. When a victim enters their Google Password Manager PIN on a phishing page styled to look like Google's legitimate prompt, the attacker can register a new device on the victim's security domain. The attacker's infrastructure then authenticates into the victim's Google account, downloads every synced password and passkey — including hardware-backed passkeys from Chrome 359+ — and gains access to every third-party service the victim uses.

What's particularly alarming is how VaultJacking bypasses Google's Live Device Found Session Credentials defense. The attacker's sync component uses an operator-owned passkey to authenticate well after the original session cookies have expired, making detection nearly impossible. Phishu recommends treating this as a design trade-off rather than a bug: organizations should use dedicated Chrome profiles for personal credentials, deploy on-premises password managers for sensitive environments, and train users to treat "new passkey added" notifications as security events worth immediate verification.

Anthropic's Dreaming Feature and the SpaceX Compute Partnership

At the Code w/ Claude 2026 developer conference in San Francisco, Anthropic unveiled a suite of features that signal a maturation in how AI agents operate in production environments. The headline announcement is Dreaming — a research preview capability for Claude Managed Agents that automatically reviews past session transcripts, extracts behavioral patterns, consolidates duplicate learnings, and builds an organized memory store without modifying the original data.

Dreaming represents a fundamental shift in agent architecture. Instead of treating each coding session as an isolated event, Anthropic is enabling agents to learn continuously from experience — the AI equivalent of muscle memory. Combined with the new multi-agent orchestration feature (supporting up to 20 specialist agents running in parallel), outcomes loops for self-checking against configurable rubrics, and webhooks for external integrations, Anthropic is building toward truly autonomous engineering teams.

Perhaps the most strategically significant announcement was Anthropic's partnership with SpaceX to leverage the Colossus data center, immediately doubling rate limits for Claude Code and eliminating peak-hour restrictions. This compute partnership gives Anthropic the infrastructure backbone to compete with OpenAI's massive GPU spending, and signals that the AI compute war has entered a new phase where infrastructure access is as critical as model quality.

Cognition Raises $1 Billion at $25 Billion Valuation

The AI coding agent market is getting real money behind it. Cognition, the startup behind Devin — the autonomous AI software engineer — has closed a $1 billion funding round at a pre-money valuation of $25 billion, more than doubling its valuation in just eight months. The round was led by Lux Capital, and the company reports an annualized revenue run-rate of $492 million.

Cognition's trajectory reflects a broader shift in how the market values AI coding tools. Devin isn't just a code completion tool — it's positioned as an autonomous software engineer that can plan, implement, test, and deploy code across entire projects. The $492 million ARR figure, if accurate, would make Cognition one of the fastest-growing enterprise AI companies in history, surpassing many established SaaS companies' growth curves. The round signals that venture capital is placing enormous bets on the thesis that AI coding agents will become the primary mode of software development within the next few years.

RTK: Slashing LLM Token Consumption by 90%

For developers already using AI coding assistants, a new open-source tool called RTK (Rust Token Killer) has gone viral on GitHub with 55,900 stars. RTK acts as a transparent proxy that compresses terminal output before it enters an LLM's context window, reducing token consumption by 60-90% across common commands. In benchmarks spanning 2,900+ real-world commands, RTK removes an average of 89% of noise — 91.8% from cargo test, 80.8% from git status, and 78.3% from find.

RTK is a single binary with zero dependencies, licensed under MIT, and compatible with Claude Code, Cursor, Aider, Gemini CLI, OpenAI Codex, and GitHub Copilot. For teams spending significant budgets on AI coding tool API calls, RTK could meaningfully reduce costs while actually improving output quality — less noise in the context window means more room for relevant code and reasoning. It's a rare win-win in the AI tooling space: cheaper, faster, and better.

Connecting the Dots

What emerges from this week's top stories is a clear duality in the AI landscape. On one side, AI tools are becoming more powerful and deeply integrated — Anthropic's Dreaming agents, Cognition's billion-dollar autonomous coders, and RTK's efficiency gains are pushing the boundaries of what AI-assisted development can accomplish. On the other side, the attack surface is expanding just as rapidly. TrapDoor weaponizes the very dependency chains that AI agents consume, VaultJacking exploits the credential sync infrastructure that billions of users trust, and the line between legitimate tool and potential attack vector is blurring.

The lesson for developers and organizations is straightforward: as AI becomes more embedded in your workflow, the security assumptions you've built around those workflows need re-examination. Trusting your dependencies is no longer enough — you need to verify them. And the tools that make you more productive may also be the tools that make you more vulnerable if the supply chain is compromised. The future of AI-powered development depends not just on building better models, but on building trustworthy infrastructure around them.