Claude · GitHub · Rust · CryptoSlate
The next big DeFi exploit will start before the code is leveraged
Compiled by KHAO Editorial — aggregated from 1 source. See llms.txt for citation guidance.
◌ Single Source
Socket's May 24 disclosure of TrapDoor found more than 34 malicious packages and over 384 related versions spread across npm, PyPI, and Crates.io, each targeting the developers who build and maintain protocols, and the credentials that govern access to the systems around them.
Key facts
- TRM Labs estimated that North Korean hackers stole approximately $577 million through April 2026, accounting for 76% of all crypto losses during that period
- A TrapDoor-type upstream compromise reaching deployer keys, bridge validator infrastructure, or admin credentials at a mid-to-large protocol could add $100 million to $300 million to 2026's running
- SafeDep documented a May 11 campaign that compromised more than 170 npm packages and two PyPI packages, hitting 404 malicious versions tied to TanStack, Mistral SDK, UiPath, OpenSearch
- In April 2026, Drift lost $285 million when attackers combined long-running social engineering with valid admin signatures
Summary
What TrapDoor built is a route from a single developer's compromised machine into the repositories, CI/CD pipelines, cloud accounts, and deployment keys that govern how protocols reach mainnet and stay updated once deployed. Socket's report confirms credential theft and infrastructure exposure as the campaign's documented scope, leaving on-chain exploits as the inferred downstream consequence. The campaign delivered payloads through ordinary developer workflows, such as npm packages executing malicious code through postinstall hooks, PyPI packages triggering payloads on import while fetching remote JavaScript, and Rust crates running build.rs scripts during compilation. Normal developer behavior is the attack surface, as none of these execution paths requires anything beyond a package install, an import, or a build command.