Cybersecurity researchers discovered malicious code within an npm package following the malicious package as a dependency to a project by Anthropic’s Claude Opus Large-Scale Language Model (LLM).
The package in question is “@validate-sdk/v2” and is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. However, its real function is to plunder sensitive secrets from a compromised environment. This package has evidence of being vibecoded using generative artificial intelligence (AI) and was first uploaded to the repository in October 2025.
The malware campaign has been codenamed PromptMink by ReversingLabs, and it has been linked to this activity as part of a broader campaign launched by the North Korean threat actor known as Famous Chollima (also known as Shifty Corsair), which is behind the long-running Contagious Interview campaign and the deceptive IT Worker scam.
“New malware campaign […] In a report shared with The Hacker News, ReversingLabs researcher Vladimir Pezo said the attack involved a tainted package introduced in the February 28 Commitment to Autonomous Trading Agents, which was co-authored by Anthropic’s Claude Opus Large Language Model (LLM). This allows attackers to gain access to users’ cryptocurrency wallets and funds. ”
This package is listed as a dependency of another npm package named ‘@solana-launchpad/sdk’, which is used by a third package called ‘openpaw-graveyard’. The package is described as an “autonomous AI agent” that uses the Tapestry protocol to create social on-chain identities on the Solana blockchain, trade cryptocurrencies via Banker, and interact with other agents on Moltbook.
According to ReversingLabs, the package generated by the AI agent was added as a dependency in a commit made in February 2026, resulting in the agent package executing malicious code and allowing the attacker to access victims’ crypto wallets and funds via compromised credentials.
The attack uses a step-by-step approach, where the first-tier package does not contain any malicious code, but the second-tier package is imported with actual malicious functionality. If a second cluster is discovered or removed from npm, they will be replaced immediately.
Some of the identified tier 1 packages are listed below.
@solana-launchpad/sdk @meme-sdk/trade @validate-ethereum-address/core @solmasterv3/solana-metadata-sdk @pumpfun-ipfs/sdk @solana-ipfs/sdk
“They have implemented several features related to cryptocurrencies,” ReversingLabs explained. “And each package lists many dependencies, most of which are popular npm packages with millions or billions of downloads, such as axios and bn.js. However, a small number of dependencies are malicious packages from the second layer.”
Attackers use a variety of techniques to help malicious packages evade detection. These include creating malicious versions of functions that already exist in listed popular packages. Another technique uses typosquatting, where the name and description mimic a canonical library.
The first package version published to npm as part of this campaign dates back to September 2025, when “@hash-validator/v2” was uploaded to the registry. The decision to split the cryptocurrency stealer into two parts – a benign bait that downloads the actual malware – may have helped evade detection and hide the true scale of the attack.
Notably, some aspects of this activity were documented by JFrog two months later, highlighting the attackers’ use of transitive dependencies to execute malicious code on developer systems and siphon valuable data.
During this time, the campaign has undergone various changes, even targeting the Python Package Index (PyPI) by pushing a malicious package (“scraper-npm”) with the same functionality in February 2026. As recently as last month, attackers were observed establishing persistent remote access via SSH and using payloads compiled with Rust to exfiltrate entire projects, including source code and other intellectual property, from compromised systems.
The initial version of this malware is an obfuscated JavaScript-based stealer that recursively scans the current working directory for .env or .json files and prepares exfiltration to a Vercel URL (‘ipfs-url-validator.vercel.app’). The Vercel URL (“ipfs-url-validator.vercel.app”) is a platform that Famous Chollima has repeatedly exploited in its campaigns.
In subsequent iterations, PromptMink was embedded in the form of a Node.js Single Executable Application (SEA), but with the notable drawback of increasing the payload size from just 5.1 KB to approximately 85 MB. This is said to have led threat actors to use NAPI-RS to create Node.js add-ons compiled with Rust.
The malware’s evolution from a simple information stealer to a specialized multi-platform harvester targeting Windows, Linux, and macOS that can drop SSH backdoors and harvest entire projects shows that North Korean threat actors continue to target the open source ecosystem by targeting developers in the Web3 space.
Famous Chollima “leverages AI-generated code and multi-layered packaging strategies to evade detection and fool automated coding assistants more effectively than human developers,” ReversingLabs added.
The emergence of infectious traders
This discovery coincided with the discovery of a malicious npm package named “express-session-js” that is believed to be linked to the Contagious Interview campaign. This library acts as a conduit for the dropper to retrieve the second stage obfuscated payload from JSON Keeper, a paste service.
“Static deobfuscation of the stage 2 payload revealed a complete remote access trojan (RAT) and information stealer connecting to 216.[.]126[.]237[.]71 runs via Socket.IO and has features such as browser credential theft, cryptocurrency wallet extraction, screenshot capture, clipboard monitoring, keylogging, and remote mouse/keyboard control,” SafeDep noted this month.
Interestingly, the use of legitimate packages such as “socket.io-client” for command and control (C2) communication, “screenshot-desktop” for screen capture, “sharp” for image compression, and “clipboardy” for clipboard access overlaps with the use of OtterCookie, a known exfiltrating malware that has been implicated in this campaign.
What’s new this time around is the addition of the @nut-tree-fork/nut-js package for mouse and keyboard control, indicating a broader effort to upgrade RAT functionality to facilitate interactive control of infected hosts.
OtterCookie deployment chain
OtterCookie has witnessed its own maturation, being distributed via a Trojanized open source 3D chess project hosted on Bitbucket and malicious npm packages such as ‘gemini-ai-checker’, ‘express-flowlimit’, and ‘chai-extensions-extras’.
The third method took the matryoshka doll approach as part of a campaign called Contagious Trader. The attack begins by downloading a benign wrapper package (e.g., “bjs-biginteger”), then proceeds to download a malicious dependency (e.g., “bjs-lint-builder”), and finally installs a stealer.
Duplication of Contagious Interview, Contagious Trader, and graphalgo
“The recent campaign organized by Shifty Corsair demonstrates the growing threat of cyber operations aligned with the North Korean state,” said Bluevoyant researcher Kurt Buchanan. “The rapid evolution from static Obfuscator.io encoding to dynamically rotating custom obfuscation and exploitation of Vercel-hosted C2 infrastructure demonstrates the maturation of operational capabilities.”
Graphalgo uses fake companies to drop RATs
This development is significant because the attackers are simultaneously linked to another ongoing campaign called Grafirgo, which uses fake companies to lure developers and uses fake job interviews and coding tests to deliver malicious npm packages to systems.
This campaign will unfold as follows: Hackers use social engineering tactics on job search platforms and social networks to trick potential targets into downloading projects hosted on GitHub as part of an evaluation. These projects contain dependencies on malicious packages published on npm or PyPI, and their primary purpose is to deploy remote access trojans (RATs) on machines.
To carry out a successful attack, operators build a network of fake companies and set up convincing profiles on platforms like GitHub, LinkedIn, and X to make the fake companies appear legitimate and make the scam more convincing. In the case of Blocmerce, the attackers went so far as to actually register a limited liability company (LLC) under the same name in the US state of Florida in August 2025. The names of the companies used for front-end phishing are:
Veltrix Capital Blockmerce Bridgers Finance
“These organizations are linked to several GitHub organizations associated with blockchain companies that have been active on GitHub since June 2025,” said Carlo Zanchi, a security researcher at ReversingLabs. “Their purpose is to provide credibility to fake job listings and host fake interview tasks.”
Recent versions of the campaign have also been observed using different techniques to host malicious dependencies. Instead of publishing to npm or PyPI, these are hosted as release artifacts in a GitHub repository, presumably to minimize the risk of detection.
“References to malicious dependencies are buried deep in the list of transitive dependencies. The resolved field in the package-lock.json file tells the package manager where to get dependencies for a particular package,” ReversingLabs noted. “While all other dependencies are pulled from the official npm registry, the malicious dependency is pulled directly from a release artifact located in a crafted GitHub repository.”
The list of npm packages is below –
graph – dynamic graph base – js graph library – js
The attack culminates in the deployment of a RAT that can collect system information, enumerate files and directories, list running processes, create folders, rename files, delete files, and upload/download files.
In recent weeks, a North Korean state-sponsored threat cluster tracked as UNC1069 has also been linked to a compromise of one of the most popular npm packages, “axios,” highlighting the continuing threat facing Pyongyang’s open source repositories.
Since then, the attackers behind the breach have published a new npm package called “csec-crypto-utils” (“csec-c2-server.onrender”) that contains an “updated payload” that replaces the RAT dropper with a data stealer that isolates AWS keys, GitHub tokens, and .npmrc configuration files to external servers.[.]com”).
In a report detailing the supply chain breach, Hunt.io linked the attack to a subcluster of Lazarus Group known as BlueNoroff, citing infrastructure overlap and similarities to the NukeSped RAT.
“The threat actors’ use of advanced technology and tactics, as well as their astonishing level of campaign preparation (Florida LLC establishment) and ability to adapt, make North Korean threat actors the number one threat to organizations and individual developers focused on cryptocurrencies,” ReversingLabs said.
Source link
