Socket’s TrapDoor campaign has uncovered at least 34 malicious packages and 384 related versions spread across npm, PyPI, and Crates.io, all aimed at developers who build and maintain blockchain protocols. The campaign uses credential theft and infrastructure exposure to move from a compromised developer machine straight to user funds. Socket’s system caught the packages in an average of five minutes and 56 seconds, but the damage had already started.
The TrapDoor Campaign
The packages deliver payloads through everyday developer workflows: npm’s postinstall hooks, PyPI imports, and Rust’s build.rs scripts. Once a developer installs one, the attacker can steal credentials, expose infrastructure, and eventually drain user wallets. Socket says the chain runs from a single compromised machine to funds at risk, with no obvious breakpoints for defenders.
AI Instruction Injection
TrapDoor tried something new. Attackers hid malicious instructions in Unicode characters inside .cursorrules and CLAUDE.md files — the configuration files that steer AI coding assistants. The goal was to trick the AI into revealing secrets or exfiltrating data. The attackers also submitted pull requests to AI and developer-tooling projects, introducing these instruction files under harmless-sounding labels. If merged, the AI assistant could be turned into an unwitting accomplice.
Broader Supply-Chain Onslaught
The TrapDoor campaign is only part of a larger wave. SafeDep documented a separate campaign on May 11, 2026 that compromised 170 npm packages and two PyPI packages, with 404 malicious versions targeting TanStack, Mistral SDK, UiPath, OpenSearch, and Guardrails AI. A day earlier, StepSecurity described five major supply-chain attacks in 48 hours — across VS Code extensions, GitHub Actions, npm, and PyPI. One poisoned VS Code extension had 2.2 million installs; trojanized Microsoft PyPI packages were also found.
Sonatype reported 454,600 new malicious packages in 2025, pushing the cumulative total past 1.233 million. The numbers keep climbing.
Financial Fallout from Infrastructure Attacks
While package attacks steal credentials, other attackers are hitting off-chain infrastructure directly. Resolv lost $23 million in March 2026 when deployed code worked fine but off-chain infrastructure and keys failed. Drift lost $285 million in April 2026 after attackers combined long-running social engineering with valid admin signatures. KelpDAO lost roughly $292 million the same month after attackers compromised off-chain RPC and DVN infrastructure. In each case, the smart contracts themselves weren’t the weak point — the supporting infrastructure was.
Detection Speed vs. Scale
Socket’s ability to flag TrapDoor packages in under six minutes shows detection is getting faster. But with hundreds of thousands of new malicious packages a year and attackers now weaponizing AI configuration files, developers face an expanding threat surface. The same workflows that make open-source efficient — automated installs, prebuilt scripts, AI suggestions — are being turned into delivery mechanisms.
The question hanging over the industry is whether detection alone can keep pace. The next campaign may not rely on packages at all.
