Socket’s May 24 disclosure of TrapDoor found more than 34 malicious packages and over 384 related versions spread across npm, PyPI, and Crates.io, each targeting the developers who build and maintain protocols, and the credentials that govern access to the systems around them.
What TrapDoor built is a route from a single developer’s compromised machine into the repositories, CI/CD pipelines, cloud accounts, and deployment keys that govern how protocols reach mainnet and stay updated once deployed.
Socket’s report confirms credential theft and infrastructure exposure as the campaign’s documented scope, leaving on-chain exploits as the inferred downstream consequence.
The attack surface developers don’t audit
The campaign delivered payloads through ordinary developer workflows, such as npm packages executing malicious code through postinstall hooks, PyPI packages triggering payloads on import while fetching remote JavaScript, and Rust crates running build.rs scripts during compilation.
Normal developer behavior is the attack surface, as none of these execution paths requires anything beyond a package install, an import, or a build command.
In the environment around a live protocol, any one of those credential classes can represent a path to user funds that no smart contract audit ever examines.
Socket explicitly framed stolen SSH keys as enabling lateral movement, and cloud and GitHub credentials as exposing repositories, CI/CD systems, private packages, and deployment environments.
That chain, comprising malicious package, developer compromise, credential theft, repo and cloud access, and malicious update, describes how a DeFi exploit can arise without a single line of vulnerable Solidity.
The AI instruction injection
Socket found the TrapDoor campaign attempted to plant hidden instructions inside files such as .cursorrules and CLAUDE.md, which are configuration files that AI coding assistants like Cursor and Claude Code read to understand how to behave within a project.
The injected instructions employed hidden Unicode techniques to steer AI-assisted workflows toward secret discovery and exfiltration.
Socket also found pull requests submitted to AI and developer tooling projects that tried to introduce instruction files under benign-sounding labels.
The target was the AI assistant that reads the repo, generates code, and operates with whatever context the project files supply.
If attackers silently manipulate that context through hidden Unicode instructions, the AI-assisted workflow becomes an exfiltration mechanism.
A broader pattern
SafeDep documented a May 11 campaign that compromised more than 170 npm packages and two PyPI packages, hitting 404 malicious versions tied to TanStack, Mistral SDK, UiPath, OpenSearch, and Guardrails AI.
StepSecurity described five major supply-chain attacks in 48 hours across VS Code extensions, GitHub Actions, npm, and PyPI, including a poisoned VS Code extension with 2.2 million installs and trojanized Microsoft PyPI packages.
Sonatype reported more than 454,600 new malicious packages in 2025, bringing the cumulative count to above 1.233 million, with malicious packages now serving as entry points for broader intrusions.
The control-plane attack pattern has already resulted in measurable DeFi losses using structurally identical methods.
Resolv’s March incident was a $23 million exploit where the deployed code worked exactly as designed, but off-chain infrastructure and trusted keys failed.
In April 2026, Drift lost $285 million when attackers combined long-running social engineering with valid admin signatures.
KelpDAO lost approximately $292 million the same month when attackers compromised off-chain RPC and DVN infrastructure.
In each case, the failure point was operational: trusted infrastructure, off-chain systems, and admin access layers surrounding the contract.
Where the risk resolves
If TrapDoor-style packages draw quick detection, since Socket’s system logged average detection at 5 minutes and 56 seconds, and teams rotate exposed credentials before downstream access occurs, the campaign ends at the detection layer, with its damage limited to credentials that teams can still rotate.
DeFi losses track near the 2025 Immunefi baseline of $680 million, with TrapDoor’s primary effect being accelerated security reviews of package dependencies, CI/CD secrets, and developer environment hygiene across crypto teams.
The bear case draws on data from Chainalysis, TRM Labs, and Immunefi, measured in 2025 and early 2026.
TRM Labs estimated that North Korean hackers stole approximately $577 million through April 2026, accounting for 76% of all crypto losses during that period. Chainalysis put total crypto service theft at more than $3.4 billion in 2025, with the top three incidents accounting for 69% of that figure.
A TrapDoor-type upstream compromise reaching deployer keys, bridge validator infrastructure, or admin credentials at a mid-to-large protocol could add $100 million to $300 million to 2026’s running total, pushing annual DeFi losses toward $1 billion or above.
One infected developer machine with a GitHub token controlling a deployment pipeline, a cloud credential managing bridge infrastructure, or a wallet key holding protocol admin authority can reach far more than the developer’s own funds.
In the Drift incident, attackers drained assets including cbBTC and WBTC, showing that Bitcoin-linked liquidity wrapped or bridged into DeFi sits inside the same operational infrastructure that TrapDoor targets.
What audits don’t reach
The DeFi industry has built a meaningful smart contract security layer over the past four years. Immunefi’s data shows that the median incident size dropped from $6 million in 2022 to $1.5 million in 2025, a sign that core contract-level defenses have matured.
But Resolv, Drift, and KelpDAO show that attackers have absorbed that improvement and moved to systems audits cannot reach, such as deployer permissions, bridge validators, cloud infrastructure, admin keys, off-chain RPC endpoints, and now the developer machines, package dependencies, and AI coding environments that produce and configure all of the above.
A smart contract can pass every audit a protocol commissions and still sit atop a deployment pipeline where a post-install hook has already exfiltrated the deployer’s GitHub token.
TrapDoor is a specific campaign with a specific package count and a detection timestamp. The attack surface it targeted, consisting of developer machines, package registries, CI/CD credentials, AI coding files, and cloud accounts, persists beyond TrapDoor’s own package list.
Other campaigns are already using the same pathways, and the next DeFi exploit may begin on a developer’s laptop, inside a build script, or within an AI coding environment.