"The commit was reportedly co-authored by Anthropic's Claude Opus model."
PromptMink, Famous Chollima, and a clear focus on crypto developers
Researchers at ReversingLabs have tied a sustained malicious npm campaign to activity they label PromptMink and attribute to the North Korean state-sponsored actor Famous Chollima (also known as APT37 or Reaper). According to the report, the campaign targeted Web3 and cryptocurrency development workflows and relied on packages that posed as legitimate utilities while delivering hidden payloads that stole secrets and enabled access to funds.
The @validate-sdk/v2 incident: an AI-assisted commit reaches an autonomous trading agent
ReversingLabs describes a striking case in which the npm package @validate-sdk/v2—disguised as a validation tool—was added to an autonomous trading agent in February 2026. The package enabled attackers to exfiltrate secrets from infected environments and to access crypto wallets. Notably, the commit that introduced the dependency was reportedly co-authored by Anthropic's Claude Opus model, and researchers found leftover prompts in code that suggest large language models (LLMs) were used in development.
Two-layer package strategy: visible trust, hidden payloads
The campaign used a layered approach to evade detection and preserve trust. Public-facing packages were presented as useful Web3 utilities to attract adoption; secondary dependencies quietly carried the malware. ReversingLabs says attackers repeatedly replaced malicious elements behind apparently benign components, allowing widely visible packages to retain credibility even as the hidden payloads evolved.
Scale and evolution: 60+ packages, cross-platform compiled payloads, and expanded capabilities
Over a seven-month period, ReversingLabs tracked more than 60 packages and over 300 versions tied to the campaign, indicating sustained activity and iterative refinement. Early code focused on harvesting sensitive files, but later versions expanded capabilities: scanning directories for environment files and crypto-related data, collecting system information such as usernames and IP addresses, compressing entire project folders before exfiltration, and installing SSH keys to enable persistent remote access.
Technically the malware also progressed: researchers observed a move from JavaScript-based code to compiled binaries and Rust-based payloads. That shift improved evasion and allowed the same core functionality to run across both Linux and Windows environments, increasing the campaign's reach and persistence.
AI coding assistants as a vector: prompts and developer workflows
ReversingLabs highlights evidence in the malicious code—specifically leftover prompts—that points to LLM use in the development lifecycle of these packages. The firm argues attackers are consciously shaping malicious packages to appeal to AI coding assistants, extending supply chain risk into automated development workflows where developers may accept or merge AI-suggested commits into production repositories.
What this means for cryptocurrency developers, open-source maintainers, and AI-assisted development
- Cryptocurrency developers and teams operating autonomous trading agents: Packages that appear to be validation or Web3 utilities can contain secondary dependencies that exfiltrate environment secrets and enable unauthorized wallet access; teams will need to scrutinize dependencies and the provenance of commits added to automated systems.
- Open-source maintainers who publish or vet Web3 libraries: The two-layer strategy—visible benign package plus hidden malicious dependency—means maintainers should monitor dependency graphs and be alert to frequent or opaque version changes in transitive packages.
- Organizations using AI coding assistants: ReversingLabs' finding that leftover prompts were present in malicious code suggests that LLMs are a tool attackers will exploit; teams relying on AI-assisted commits should validate suggested changes and consider controls around automated merges into sensitive projects.
The PromptMink campaign underscores a plain fact: malware authors are adapting both tactics and tooling to reach modern development workflows. By combining a supply-chain playbook with code tailored to appeal to AI assistants and moving to compiled, cross-platform payloads, the campaign turned routine package installs into a direct path for secret theft and crypto theft. The concrete choices ahead are operational—who audits AI-influenced commits, who enforces dependency hygiene, and who walks the chain of transitive packages before a library reaches an autonomous trading agent.
https://www.infosecurity-magazine.com/news/ai-npm-dependency-targets-crypto/
