Cybersecurity researchers have uncovered a series of advanced cyber campaigns orchestrated by North Korean state-sponsored threat actors, leveraging artificial intelligence (AI) assisted code generation and intricate supply chain compromises within the open-source ecosystem. The latest discovery involves malicious code embedded in an npm package, identified as a dependency in a project partly authored by Anthropic’s Claude Opus large language model (LLM), designed to pilfer sensitive cryptocurrency assets and intellectual property.
The PromptMink Campaign: AI-Assisted Crypto Heists
The core of the recent activity, codenamed "PromptMink" by ReversingLabs, centers on the npm package "@validate-sdk/v2." Ostensibly presented as a legitimate utility SDK for hashing, validation, encoding/decoding, and secure random generation, its true purpose is far more nefarious: to exfiltrate sensitive secrets and compromise cryptocurrency environments. This particular package, first uploaded to the npm repository in October 2025, exhibits characteristics consistent with "vibe-coded" software, suggesting the use of generative AI in its creation.
The significance of this finding is amplified by its connection to Anthropic’s Claude Opus LLM. ReversingLabs researcher Vladimir Pezo highlighted that the malicious package was introduced into an autonomous trading agent project via a commit made on February 28, 2026, which was co-authored by the Claude Opus LLM. This marks a concerning evolution in cyber warfare, where even AI-powered coding assistants, intended to streamline development, can inadvertently become vectors for sophisticated state-sponsored attacks. The compromise directly grants attackers access to users’ crypto wallets and funds, underscoring the high-value target that the burgeoning Web3 space represents for these threat actors.
The attack chain for PromptMink is multi-layered and designed for stealth. The "@validate-sdk/v2" package functions as a dependency for another npm package, "@solana-launchpad/sdk," which in turn supports a third package, "openpaw-graveyard." The "openpaw-graveyard" project is described as an "autonomous AI agent" facilitating on-chain identity creation on the Solana blockchain via the Tapestry Protocol, cryptocurrency trading through Bankr, and interactions with other agents on Moltbook. By embedding the malicious dependency within this chain, the North Korean operatives ensure that the agent package executes their nefarious code, leading to the leakage of credentials and the theft of cryptocurrency.
Famous Chollima: A Persistent and Evolving Threat
The PromptMink campaign has been definitively linked to "Famous Chollima," also known as "Shifty Corsair," a notorious North Korean state-sponsored threat actor. This group is recognized for its long-running "Contagious Interview" campaign and the pervasive "fraudulent IT Worker scam," both aimed at financial gain to support Pyongyang’s illicit weapons programs. The estimated financial impact of North Korean cyber operations, particularly cryptocurrency theft, runs into billions of dollars annually, making these campaigns a critical component of the regime’s funding strategy.
Famous Chollima employs a sophisticated, phased approach to evade detection. Initial "first-layer" packages appear benign, devoid of overt malicious code. However, they serve as conduits, importing "second-layer" packages that house the actual nefarious functionality. This modular design allows for rapid replacement of malicious components if detected or removed from repositories like npm, ensuring campaign longevity. Researchers at ReversingLabs noted that while these first-layer packages implement cryptocurrency-related functionalities and list numerous popular npm packages as dependencies (e.g., axios, bn.js), a small, critical number of these dependencies are, in fact, the malicious second-layer components.
To further bolster their stealth, the threat actors utilize various evasion techniques. These include creating malicious versions of legitimate functions found in popular packages and employing typosquatting, where package names and descriptions closely mimic widely used, trusted libraries. The earliest identified package in this specific campaign, "@hash-validator/v2," was uploaded in September 2025. This strategy of splitting the cryptocurrency stealer into a benign "bait" and a separate malware download significantly aids in evading initial detection and concealing the true scale of the compromise. JFrog researchers had previously documented aspects of this activity two months after the initial package upload, highlighting the use of transitive dependencies to execute malicious code and siphon data from developer systems.
The Malware’s Technical Evolution
The malware used by Famous Chollima has undergone significant technical evolution. Early versions were JavaScript-based info-stealers, designed to recursively scan the current working directory for .env or .json files and exfiltrate them to a Vercel URL (e.g., "ipfs-url-validator.vercel.app"). Vercel, a cloud platform for frontend developers, has been repeatedly abused by Famous Chollima for command-and-control (C2) infrastructure in various campaigns.
Subsequent iterations integrated PromptMink as a Node.js single executable application (SEA). While enhancing stealth, this approach suffered from a notable drawback: it drastically increased the payload size from a mere 5.1KB to approximately 85MB. This substantial increase in footprint prompted the threat actors to pivot again, leveraging NAPI-RS to create pre-compiled Node.js add-ons in Rust. This shift demonstrates a continuous adaptation to minimize detection risks while maximizing efficiency. The evolution from a simple infostealer to a specialized, multi-platform harvester—targeting Windows, Linux, and macOS—capable of dropping SSH backdoors and exfiltrating entire projects, including source code and other intellectual property, underscores North Korean threat actors’ persistent targeting of the open-source ecosystem and Web3 developers.
Concurrent Campaigns: Contagious Trader and OtterCookie
The revelations surrounding PromptMink coincide with ongoing discoveries related to the broader "Contagious Interview" campaign. SafeDep recently identified a malicious npm package named "express-session-js" linked to Contagious Interview. This library acts as a dropper, fetching an obfuscated second-stage payload from JSON Keeper, a paste service. Deobfuscation revealed a full Remote Access Trojan (RAT) and information stealer connecting to 216[.]126[.]237[.]71 via Socket.IO. Its capabilities are extensive, including browser credential theft, crypto wallet extraction, screenshot capture, clipboard monitoring, keylogging, and remote mouse/keyboard control.
Notably, the use of legitimate packages like "socket.io-client" for C2, "screenshot-desktop" for screen capture, "sharp" for image compression, and "clipboardy" for clipboard access overlaps significantly with "OtterCookie," a known stealer malware attributed to the Contagious Interview campaign. A novel addition in the latest "express-session-js" variant is the "@nut-tree-fork/nut-js" package, enabling remote mouse and keyboard control, indicating an upgrade in RAT capabilities for more interactive control of infected hosts.
OtterCookie itself has matured, being distributed via various vectors, including a trojanized open-source 3D chess project hosted on Bitbucket and malicious npm packages such as "gemini-ai-checker," "express-flowlimit," and "chai-extensions-extras." A particularly deceptive method, dubbed "Contagious Trader," employs a "Matryoshka Doll" approach. This begins with the download of a benign wrapper package (e.g., "bjs-biginteger"), which then proceeds to download a malicious dependency (e.g., "bjs-lint-builder"), ultimately installing the full stealer. This layered approach is a hallmark of sophisticated supply chain attacks, designed to obscure the malicious payload’s origin.
Graphalgo: Social Engineering and Fake Entities
Beyond technical exploits, North Korean actors simultaneously engage in sophisticated social engineering. The "graphalgo" campaign, also linked to Famous Chollima, lures developers through fake companies and job interviews. These campaigns leverage fabricated job offers and coding tests to trick prospective targets into downloading GitHub-hosted projects. These projects, seemingly legitimate, contain dependencies to malicious npm or PyPI packages designed to deploy a RAT.
The level of preparation for the "graphalgo" campaign is astonishing. Operators establish elaborate networks of fake companies, complete with convincing profiles on platforms like GitHub, LinkedIn, and X, to lend an air of legitimacy. In a remarkable demonstration of their commitment, the attackers behind "Blocmerce," one of these fake entities, even went to the extent of registering a limited liability corporation (LLC) in Florida, USA, under the same name in August 2025. Other frontend phishing companies included in this campaign link to several GitHub organizations related to blockchain companies, active since June 2025, specifically crafted to host fake job interview tasks and build trust.
More recent versions of the graphalgo campaign have shifted their dependency hosting strategy. Instead of publishing malicious packages to public registries like npm or PyPI, they are hosted as release artifacts within GitHub repositories, likely to minimize detection risks. ReversingLabs observed that the reference to the malicious dependency is deeply buried within transitive dependencies, with the package-lock.json file instructing the package manager to fetch the malicious component directly from a crafted GitHub repository while other dependencies are sourced from the official npm registry. The culmination of this attack is the deployment of a RAT capable of extensive system information gathering, file and directory enumeration, process listing, file manipulation (create, rename, delete), and arbitrary file upload/download.
Broader Implications and Ongoing Threats
The compromise of open-source repositories by North Korean actors extends beyond these specific campaigns. In recent months, another state-sponsored cluster, UNC1069, was linked to the compromise of "axios," one of the most popular npm packages globally. This incident highlights the pervasive threat faced by open-source ecosystems from Pyongyang. Following the "axios" breach, attackers published a new npm package, "csec-crypto-utils," containing an updated payload that replaces the RAT dropper with a data stealer exfiltrating AWS keys, GitHub tokens, and .npmrc configuration files to an external server (csec-c2-server.onrender[.]com). Hunt.io, in its report on the "axios" supply chain compromise, attributed the attack to BlueNoroff, a sub-cluster of the Lazarus Group, citing infrastructure overlaps and similarities between the RAT and "NukeSped."
These campaigns collectively demonstrate the escalating sophistication and adaptive capabilities of North Korean state-aligned cyber operations. Curt Buchanan, a researcher at BlueVoyant, emphasized this point, stating, "Their rapid evolution, from static Obfuscator.io encoding to dynamically rotating custom obfuscation, and their abuse of Vercel-hosted C2 infrastructure, demonstrates a maturation in their operational capabilities." The use of AI-generated code and layered package strategies allows these actors to evade detection and more effectively deceive automated coding assistants than human developers, as ReversingLabs noted.
The persistent targeting of the open-source community, particularly developers in the Web3 space, poses a significant and evolving threat. The astonishing level of campaign preparation, including registering legitimate businesses, coupled with their ability to adapt and innovate in their attack methodologies, establishes North Korean threat actors as a top-tier challenge for organizations and individual developers operating in the cryptocurrency domain. Mitigating these threats requires a multi-faceted approach, including enhanced vigilance against social engineering, rigorous supply chain security audits, and continuous monitoring of open-source dependencies for suspicious activity.