Malicious packages and AI prompts threaten DeFi deployments

Socket disclosed TrapDoor on May 24, identifying more than 34 malicious packages and 384 related versions distributed across npm, PyPI and Crates.io. The packages executed during normal developer actions-install, import or build-and sought to exfiltrate developer credentials and tokens.

The campaign used common development execution paths. On npm, packages ran code via postinstall hooks. PyPI packages triggered behavior during import and fetched remote JavaScript. Rust crates relied on build.rs scripts that run at compile time. Attackers also tried to add configuration files such as .cursorrules and CLAUDE.md containing concealed Unicode instructions intended to influence AI coding assistants to locate and leak secrets. Some pull requests attempted to introduce those files into AI and developer tooling projects under ordinary filenames.

When a package ran on a developer machine, attackers searched for SSH keys, GitHub tokens, cloud credentials and CI/CD secrets. Those credentials can grant access to private repositories, deployment keys and cloud accounts. With those privileges, an actor can change code, push updates or control deployment pipelines without exploiting on-chain smart contract code.

Socket recorded an average detection time of 5 minutes and 56 seconds for TrapDoor samples. Earlier 2026 incidents involving abuse of off-chain keys and infrastructure resulted in losses of $23 million in March, $285 million in April and about $292 million in another April event. Separate supply-chain waves in May compromised more than 170 npm packages and multiple PyPI packages across hundreds of versions. A 48-hour burst affected VS Code extensions, GitHub Actions, npm and PyPI, including a VS Code extension with about 2.2 million installs. Industry data counted about 454,600 new malicious packages in 2025 and a cumulative total above 1.233 million.

Socket’s timeline and industry data note that rapid detection and rotation of exposed credentials can limit damage to credential and dependency hygiene. Analysts estimate that a compromise reaching deployer keys, bridge validators or admin credentials at a mid-to-large protocol could add $100 million to $300 million in losses and that such incidents could push annual DeFi theft toward $1 billion.

Smart contract audits assess on-chain code but do not review developer workstations, package registries, AI assistant configuration files, CI/CD pipelines or cloud accounts. Socket’s disclosure lists those elements as the control-plane attack surface targeted by the TrapDoor packages.