A malicious npm dependency linked to an AI-assisted code commit has been found stealing sensitive data and exposing crypto wallets.
According to researchers at ReversingLabs, the package, disguised as a validation tool, enabled attackers to exfiltrate secrets from infected environments and access funds.
The activity, tracked as PromptMink, involved the package @validate-sdk/v2, which was added to an autonomous trading agent in February 2026. The commit was reportedly co-authored by Anthropic’s Claude Opus model.
Layered Attack Structure Evades Detection
Attribution points to North Korean state-sponsored actor Famous Chollima (also known as APT37 or Reaper), which has been active since 2018 and is known for targeting cryptocurrency developers. The group relied on a two-layer package strategy that separates legitimate-looking tools from hidden malicious payloads.
Packages presented as useful Web3 utilities were used to attract adoption, while secondary dependencies quietly delivered the malware. This approach allowed attackers to maintain trust in widely visible components even as malicious elements were repeatedly replaced behind the scenes.
Across a seven-month period, the researchers tracked more than 60 packages and over 300 versions tied to the campaign, indicating sustained activity and refinement of delivery techniques.
Read more on software supply chain attacks: Npm Supply Chain Malware Attack Targets Developers With Worm-Like Propagation
Malware Evolves Across Platforms
As the PromptMink campaign progressed, the underlying payload expanded well beyond simple credential theft. Early versions focused on harvesting sensitive files, but later iterations introduced broader capabilities that increased both impact and persistence.
These included:
-
Scanning directories for environment files and crypto-related data
-
Collecting system information such as usernames and IP addresses
-
Compressing entire project folders before exfiltration
-
Installing SSH keys to enable persistent remote access
The malware also evolved technically, moving from JavaScript-based code to compiled binaries and Rust-based payloads. This shift improved evasion and allowed the same core functionality to operate across Linux and Windows environments.
Evidence found in the code, including leftover prompts, suggests large language models (LLMs) were used in development. ReversingLabs noted that attackers are increasingly shaping malicious packages to appeal to AI coding assistants, extending supply chain risk into automated development workflows.
