Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic's Claude Opus large language model (LLM).
The package in question is "@validate-sdk/v2," which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. However, its real functionality is to plunder sensitive secrets from the compromised environment. The package, which shows signs of being vibe-coded using generative artificial intelligence (AI), was first uploaded to the repository in October 2025.
The malware campaign has been codenamed PromptMink by ReversingLabs, which linked the activity as part of a broader campaign mounted by the North Korean threat actor known as Famous Chollima (aka Shifty Corsair), which is behind the long-running Contagious Interview campaign and the fraudulent IT Worker scam.
"The new malware campaign [...] involves a tainted package that was introduced in a Feb. 28 commit to an autonomous trading agent," ReversingLabs researcher Vladimir Pezo said in a report shared with The Hacker News. "The commit was co-authored by Anthropic's Claude Opus large language model (LLM). It allows attackers to access users' crypto wallets and funds."
The package is listed as a dependency for an another npm package named "@solana-launchpad/sdk," which, in turn, is used by a third package called "openpaw-graveyard," which is described as an "autonomous AI agent" that creates a social on-chain identity on the Solana blockchain using the Tapestry Protocol, trades cryptocurrency via Bankr, as well as interacts with other agents on Moltbook.
ReversingLabs said the AI agent-generated package was added as a dependency in a source code commit made in February 2026, causing the agent package to execute malicious code and give attackers access via leaked credentials to the victim's cryptocurrency wallets and funds.
The attack adopts a phased approach, where the first-layer packages do not contain any malicious code, but import second-layer packages that actually embed the nefarious functionality. Should the second cluster be detected or removed from npm, they are swiftly replaced.
Some of the first-layer packages identified are listed below -
- @solana-launchpad/sdk
- @meme-sdk/trade
- @validate-ethereum-address/core
- @solmasterv3/solana-metadata-sdk
- @pumpfun-ipfs/sdk
- @solana-ipfs/sdk
"They implement some functionality related to cryptocurrencies," ReversingLabs explained. "And each package lists many dependencies, most of which are popular npm packages with download counts in the millions and billions, like axios, bn.js etc. However, a small number of the dependencies are malicious packages from the second layer."
The threat actors employ various techniques to help the rogue packages escape detection. These include creating a malicious version of the functions already present in the listed popular packages. Another technique uses typosquatting, where the names and descriptions mimic legitimate libraries.
The first package version published to npm as part of this campaign dates back to September 2025, when "@hash-validator/v2" was uploaded to the registry. The decision to split the cryptocurrency stealer into two parts – a benign bait that downloads the actual malware – may have helped it evade detection and help conceal the true scale of the attack.
It's worth noting that some aspects of the activity were documented by JFrog two months later, highlighting the threat actor's use of transitive dependencies to execute malicious code on developer systems and siphon valuable data.
In the intervening months, the campaign has undergone various transformations, even targeting the Python Package Index (PyPI) by pushing a malicious package ("scraper-npm") with the same functionality in February 2026. As recently as last month, threat actors have been observed establishing persistent remote access via SSH and using Rust-compiled payloads to exfiltrate entire projects containing source code and other intellectual property from compromised systems.
Early versions of the malware were obfuscated JavaScript-based stealers that scan the current working directory recursively for .env or .json files and stage for exfiltration to a Vercel URL ("ipfs-url-validator.vercel.app"), a platform repeatedly abused by Famous Chollima in its campaigns.
While subsequent iterations came embedded with PromptMink in the form of a Node.js single executable application (SEA), it also suffered from a notable disadvantage in that it caused the payload size to grow from a mere 5.1KB to around 85MB.This is said to have caused the threat actors to shift to using NAPI-RS to create pre-compiled Node.js add-ons in Rust.
The evolution of the malware from a simple infostealer to a specialized multi-platform harvester targeting Windows, Linux, and macOS capable of dropping SSH backdoors and gathering entire projects demonstrates North Korean threat actors' continued targeting of the open-source ecosystem to target developers in the Web3 space.
Famous Chollima is "leveraging AI-generated code and a layered package strategy to evade detection and more effectively deceive automated coding assistants than human developers," ReversingLabs added.
Contagious Trader Emerges
The findings coincide with the discovery of a malicious npm package named "express-session-js" that's believed to be linked to the Contagious Interview campaign, with the library acting as a conduit for a dropper that fetches a second-stage obfuscated payload from JSON Keeper, a paste service.
"Static deobfuscation of the stage-2 payload reveals a full Remote Access Trojan (RAT) and information stealer that connects to 216[.]126[.]237[.]71 via Socket.IO, with capabilities including browser credential theft, crypto wallet extraction, screenshot capture, clipboard monitoring, keylogging, and remote mouse/keyboard control," SafeDep noted this month.
Interestingly, the use of legitimate packages like "socket.io-client" for command-and-control (C2) communication, "screenshot-desktop" for screen capture, "sharp" for image compression, and "clipboardy" for clipboard access overlaps with that of OtterCookie, a known stealer malware attributed to the campaign.
What's novel this time around is the addition of the "@nut-tree-fork/nut-js" package for mouse and keyboard control, suggesting broader attempts to upgrade the RAT capabilities to facilitate interactive control of infected hosts.
 |
| OtterCookie deployment chain |
OtterCookie, for its part, has witnessed a maturation of its own, getting distributed via a trojanized open-source 3D chess project hosted on Bitbucket and malicious npm packages like "gemini-ai-checker," "express-flowlimit," and "chai-extensions-extras."
A third method has employed a Matryoshka Doll approach as part of a campaign dubbed Contagious Trader. The attack begins with the download of a benign wrapper package (e.g., "bjs-biginteger"), which then proceeds to download a malicious dependency (e.g., "bjs-lint-builder") and ultimately install the stealer.
 |
| Overlaps between Contagious Interview, Contagious Trader, and graphalgo |
"The recent campaigns orchestrated by Shifty Corsair demonstrate the escalating threat of DPRK state-aligned cyber operations," BlueVoyant researcher Curt Buchanan said. "Their rapid evolution, from static Obfuscator.io encoding to dynamically rotating custom obfuscation, and their abuse of Vercel-hosted C2 infrastructure, demonstrates a maturation in their operational capabilities."
Graphalgo Uses Fake Companies to Drop RAT
The development is significant as the threat actor has been simultaneously linked to another ongoing campaign dubbed graphalgo that lures developers using fake companies and leverages fake job interviews and coding tests to deliver malicious npm packages to their systems.
The campaign plays out like this: the hackers employ social engineering ploys on job-seeking platforms and social networks to trick prospective targets into downloading GitHub-hosted projects as part of an assessment. These projects, in turn, contain a dependency to a malicious package published on npm or PyPI, whose main goal is to deploy a remote access trojan (RAT) on the machine.
To pull off the attack, the operators set up a network of fake companies, complete with convincing profiles on platforms like GitHub, LinkedIn, and X to give them a veneer of legitimacy and make the deception more convincing. In the case of Blocmerce, the attackers even went to the extent of actually registering a limited liability corporation (LLC) in the U.S. state of Florida under the same name in August 2025. The names of some of the companies used for frontend phishing are as follows -
- Veltrix Capital
- Blockmerce
- Bridgers Finance
"These organizations link to several GitHub organizations related to blockchain companies that have been active on GitHub since June 2025," ReversingLabs security researcher Karlo Zanki said. "Their purpose is to provide trustworthiness to fake job offerings and to host fake job interview tasks."
Recent versions of the campaign have also been spotted using a different technique for hosting the malicious dependencies. Instead of publishing them to npm or PyPI, they are hosted as a release artifact in GitHub repositories, likely in an effort to minimize the risk of detection.
"The reference to the malicious dependency is buried deep inside the list of the transitive dependencies. The resolved field in the package-lock.json file instructs the package manager where to fetch specific package dependencies from," ReversingLabs noted. "While all other dependencies are fetched from the official npm registry, the malicious one is fetched directly from a release artifact located in a crafted GitHub repository."
The list of npm packages is below -
- graph-dynamic
- graphbase-js
- graphlib-js
The attack culminates with the deployment of a RAT that can gather system information, enumerate files and directories, list running processes, create folders, rename files, delete files, and upload/download files.
In recent weeks, a North Korean state-sponsored threat cluster tracked as UNC1069 has also been linked to the compromise of "axios," one of the most popular npm packages, highlighting the continued threat faced by open-source repositories from Pyongyang.
Since then, the attackers behind the breach have published a new npm package called "csec-crypto-utils" containing an "updated payload" that substitutes the RAT dropper for a data stealer that exfoliates AWS keys, GitHub tokens, and .npmrc configuration files to an external server ("csec-c2-server.onrender[.]com").
In its report detailing the supply chain compromise, Hunt.io tied the attack to a Lazarus Group sub-cluster known as BlueNoroff, citing infrastructure overlaps and the RAT's similarities with NukeSped.
"The threat actors' use of advanced techniques and tactics, as well as an astonishing level of campaign preparation (setting up a Florida LLC) and their ability to adapt, makes North Korean threat actors a top threat to organizations or individual developers focused on cryptocurrency," ReversingLabs said.
