Socket's May 24 disclosure of TrapDoor catalogued more than 34 malicious packages and 384 related versions across npm, PyPI and Crates.io, each one aimed not at end users but at the developers who build and ship DeFi protocols. The payloads rode ordinary workflows — npm postinstall hooks, PyPI import-time fetches, Rust build.rs scripts — so a single `npm install` or `cargo build` was the entire attack surface. From a compromised developer machine, the campaign reached repositories, CI/CD pipelines, cloud accounts and deployment keys: every credential class that governs how a protocol reaches mainnet and stays updated afterwards.
Why it matters
TrapDoor also tried to seed hidden instructions into AI coding-assistant config files such as .cursorrules and CLAUDE.md, using hidden Unicode to steer tools like Cursor and Claude Code toward secret discovery and exfiltration. The AI that reads the repo becomes the exfiltration channel. SafeDep logged a May 11 campaign of 170+ npm and 2 PyPI packages across TanStack, Mistral SDK, UiPath, OpenSearch and Guardrails AI, StepSecurity recorded five major supply-chain attacks in 48 hours — including a poisoned VS Code extension with 2.2M installs — and Sonatype counted 454,600+ new malicious packages in 2025 alone, pushing the cumulative total above 1.233M. The pipeline for shipping code is now the pipeline for stealing it.
Market impact
The control-plane pattern already has a DeFi price tag. Resolv lost $23M in March, Drift lost $285M in April after attackers combined social engineering with valid admin signatures, and KelpDAO lost roughly $292M the same month when off-chain RPC and DVN infrastructure was compromised. None of those failures sat inside the audited contract. TRM Labs puts North Korean-linked crypto theft at ~$577M through April 2026 — 76% of all crypto losses in the period — and Chainalysis recorded $3.4B+ in total crypto service theft during 2025, with the top three incidents alone at 69%. If a TrapDoor-style compromise reaches deployer keys, bridge validator infrastructure or admin credentials at a mid-to-large protocol, the bear case adds $100M–$300M to 2026's running total, pushing annual DeFi losses toward or above $1B. Contained, Socket's average 5-minute-56-second detection window plus rapid credential rotation keeps the loss line near Immunefi's 2025 baseline of $680M. The smart contract layer has matured — Immunefi's median incident size fell from $6M in 2022 to $1.5M in 2025 — but attackers have already moved upstream to the systems a contract audit never sees.
Frequently asked questions
-
What is Socket's TrapDoor disclosure?
Socket published the TrapDoor disclosure on May 24, documenting more than 34 malicious packages and 384 related versions across npm, PyPI and Crates.io. The packages targeted DeFi developers through postinstall hooks, import-time fetches and Rust build.rs scripts, exposing repos, CI/CD credentials, cloud accounts and…
-
How does TrapDoor target AI coding assistants?
TrapDoor attempted to inject hidden Unicode instructions into AI assistant config files such as .cursorrules and CLAUDE.md. The goal was to steer tools like Cursor and Claude Code toward secret discovery and exfiltration, turning the AI assistant itself into the exfiltration channel.
-
What is the control-plane attack pattern in DeFi?
The control-plane pattern targets the operational layer around a smart contract — deployer permissions, bridge validators, cloud infrastructure, admin keys, off-chain RPC endpoints, and now developer machines and CI/CD pipelines. Resolv ($23M), Drift ($285M) and KelpDAO (~$292M) all failed at this layer, not in…
-
How much could a TrapDoor-style exploit add to 2026's DeFi losses?
Socket, Chainalysis, TRM Labs and Immunefi data frame the bear case at $100M–$300M from a single mid-to-large protocol compromise reaching deployer keys, bridge validator infrastructure or admin credentials. That would push 2026 DeFi losses toward or above $1B, well above Immunefi's 2025 baseline of $680M.
-
What limits the damage if a TrapDoor package lands in a build?
Socket's systems logged an average detection time of 5 minutes and 56 seconds. Contained case: rapid detection plus fast rotation of exposed credentials keeps the loss line near Immunefi's 2025 baseline of $680M and limits the campaign to credential hygiene and dependency-review work.
CryptoSlate