DeFi's Next Big Exploit May Begin Before Code Is Deployed!

Socket's May 24 disclosure of the TrapDoor campaign uncovered more than 34 malicious packages and 384 related versions spread across npm, PyPI, and Crates.io — each targeting the developers who build DeFi protocols, not the contracts themselves. Payloads delivered through postinstall hooks, import-triggered scripts, and Rust build files mean a single package install is all it takes to compromise a developer's machine, steal SSH keys, GitHub tokens, and cloud credentials, and open a path into the CI/CD pipelines and deployment keys that govern how protocols reach mainnet.

The campaign also attempted to plant hidden Unicode instructions inside AI coding assistant config files like .cursorrules and CLAUDE.md, effectively turning AI-assisted workflows into exfiltration mechanisms.