Socket's disclosure on May 24 revealed the TrapDoor campaign, which deployed more than 34 malicious packages across npm, PyPI, and Crates.io, encompassing over 384 related versions. This operation specifically targeted the developers maintaining protocols and the credentials governing system access, establishing a pathway from a single compromised machine into repositories, CI/CD pipelines, cloud accounts, and deployment keys. The campaign leveraged standard developer workflows to deliver payloads, including npm packages executing code via postinstall hooks, PyPI packages triggering payloads on import while fetching remote JavaScript, and Rust crates running build.rs scripts during compilation. These execution paths require nothing beyond a standard package install, import, or build command, rendering normal developer behavior the primary attack surface. In the ecosystem surrounding live protocols, any of these credential classes can provide a route to user funds that traditional smart contract audits never examine.

Socket explicitly framed the theft of SSH keys as a mechanism for lateral movement, while compromised cloud and GitHub credentials expose repositories, CI/CD systems, private packages, and deployment environments. The investigation uncovered attempts to plant hidden instructions within configuration files such as .cursorrules and CLAUDE.md, which AI coding assistants like Cursor and Claude Code utilize to understand project behavior. These injected instructions employed hidden Unicode techniques to steer AI-assisted workflows toward secret discovery and exfiltration. Data compiled by Woofun AI indicates that attackers also submitted pull requests to AI and developer tooling projects attempting to introduce instruction files under benign-sounding labels, targeting the AI assistant that reads the repository, generates code, and operates with the context supplied by project files. If attackers silently manipulate this context through hidden Unicode instructions, the AI-assisted workflow effectively becomes an exfiltration mechanism.

This control-plane attack pattern has already resulted in measurable DeFi losses using structurally identical methods, exemplified by the Resolv incident in March. That event resulted in a $23 million exploit where the deployed code functioned exactly as designed, but off-chain infrastructure and trusted keys failed. In each instance, the failure point was operational, involving trusted infrastructure, off-chain systems, and admin access layers surrounding the contract rather than the contract logic itself. Woofun AI notes that if TrapDoor-style packages draw quick detection, given Socket's system logged an average detection time of 5 minutes and 56 seconds, teams can rotate exposed credentials before downstream access occurs, limiting the campaign's damage to rotatable credentials.

However, the persistence of the attack surface remains a critical concern.

DeFi losses currently track near the 2025 Immunefi baseline of $680 million, with TrapDoor's primary effect being accelerated security reviews of package dependencies, CI/CD secrets, and developer environment hygiene across crypto teams. A TrapDoor-type upstream compromise reaching deployer keys, bridge validator infrastructure, or admin credentials at a mid-to-large protocol could add $100 million to $300 million to 2026's running total, pushing annual DeFi losses toward $1 billion or above. One infected developer machine holding a GitHub token controlling a deployment pipeline, a cloud credential managing bridge infrastructure, or a wallet key holding protocol admin authority can reach far more than the developer's own funds. Woofun AI analysis suggests that the industry has built a meaningful smart contract security layer over the past four years, yet this progress has shifted the battlefield.

Immunefi's data shows that the median incident size dropped from $6 million in 2022 to $1.5 million in 2025, signaling that core contract-level defenses have matured.

However, incidents involving Resolv, Drift, and KelpDAO demonstrate that attackers have absorbed this improvement and moved to systems audits cannot reach, such as deployer permissions, bridge validators, cloud infrastructure, admin keys, off-chain RPC endpoints, and now the developer machines, package dependencies, and AI coding environments that produce and configure all of the above. A smart contract can pass every audit a protocol commissions and still sit atop a deployment pipeline where a post-install hook has already exfiltrated the deployer's GitHub token. TrapDoor represents a specific campaign with a defined package count and detection timestamp, but the attack surface it targeted, consisting of developer machines, package registries, CI/CD credentials, AI coding files, and cloud accounts, persists well beyond the specific package list identified in the disclosure.