"The new malware campaign [...] involves a tainted package that was introduced in a Feb. 28 commit to an autonomous trading agent," ReversingLabs researcher Vladimir Pezo said in a report shared with The Hacker News.
PromptMink and the @validate-sdk/v2 npm package
Security researchers have identified a malicious npm package, @validate-sdk/v2, whose public description masks code that "plunders sensitive secrets from the compromised environment," ReversingLabs reports. The package is listed as a utility SDK for hashing, validation, encoding/decoding, and secure random generation, but was first uploaded to npm in October 2025 with behavior aimed at stealing crypto-wallet credentials and other secrets.
ReversingLabs linked this activity — codenamed PromptMink — to the North Korean threat actor Famous Chollima (aka Shifty Corsair), which has previously operated campaigns named Contagious Interview and the fraudulent IT Worker scam. The tainted package was introduced via a Feb. 28 commit to an autonomous trading agent; that commit was co‑authored by Anthropic's Claude Opus large language model (LLM), according to the report.
Layered dependencies, evasion techniques, and rapid evolution
The campaign uses a multi-layer dependency model: benign first-layer packages import second-layer packages that contain the malicious logic. If a second-layer package is removed or flagged, attackers quickly replace it. ReversingLabs enumerated several first-layer packages used as bait — among them @solana-launchpad/sdk, @meme-sdk/trade, @validate-ethereum-address/core, @solmasterv3/solana-metadata-sdk, @pumpfun-ipfs/sdk, and @solana-ipfs/sdk — many of which list popular, widely downloaded libraries and hide malicious dependencies among them.
Attackers employ typosquatting, publish malicious versions of legitimate functions, and bury references deep in package-lock.json files so the resolved field points to crafted GitHub release artifacts rather than the official registry. JFrog had documented transitive dependency abuse in the campaign earlier, and ReversingLabs said the operators extended the technique to PyPI in February 2026 with a package named "scraper-npm."
The malware has evolved technically: early JavaScript stealers scoured directories for .env and .json files and staged exfiltration to a Vercel URL (ipfs-url-validator.vercel.app). Later iterations used a Node.js single executable application (SEA) embedding PromptMink, which ballooned payload size from 5.1KB to roughly 85MB and prompted the operators to shift toward pre‑compiled Node.js add-ons built with NAPI‑RS in Rust. More recent activity includes establishing persistent SSH access and Rust-compiled payloads to exfiltrate entire projects, including source code and intellectual property.
Contagious Trader and a new express-session-js RAT
Related activity includes a malicious npm package named express-session-js, tied to the Contagious Interview campaign, that acts as a dropper and fetches a second-stage obfuscated payload from JSON Keeper. SafeDep's static deobfuscation of the stage‑2 payload revealed "a full Remote Access Trojan (RAT) and information stealer" that connects to 216[.]126[.]237[.]71 via Socket.IO and performs browser credential theft, crypto wallet extraction, screenshot capture, clipboard monitoring, keylogging, and remote mouse/keyboard control.
The campaign repurposes legitimate libraries — socket.io-client for C2 communications, screenshot-desktop for screen capture, sharp for image compression, and clipboardy for clipboard access — and has added @nut-tree-fork/nut-js to enable mouse and keyboard control, widening the RAT's interactive control capabilities. Researchers noted overlap with OtterCookie, a stealer distributed via trojanized projects and malicious npm packages like gemini-ai-checker, express-flowlimit, and chai-extensions-extras.
Graphalgo: fake companies, interview lures, and GitHub-hosted dependencies
A separate but simultaneous campaign, dubbed graphalgo, targets developers through fake companies, fake job interviews, and coding tests. Operators set up convincing profiles on platforms such as GitHub, LinkedIn, and X and even registered a U.S. LLC named Blockmerce in Florida in August 2025. ReversingLabs security researcher Karlo Zanki said the linked organizations and GitHub organizations had been active since June 2025 to add a veneer of legitimacy to fake job offerings.
Targets are tricked into downloading GitHub-hosted assessment projects that include dependencies pointing to malicious packages hosted as GitHub release artifacts. The packages observed in this lure include graph-dynamic, graphbase-js, and graphlib-js. The final outcome is the deployment of a RAT capable of gathering system information, enumerating files, listing processes, creating and deleting files, and uploading and downloading data.
What this means for developers, security teams, and cryptocurrency-focused organizations
- Developers and open-source maintainers: expect malicious packages to hide as transitive dependencies and to be delivered via GitHub release artifacts as well as npm/PyPI. The campaign shows threat actors intentionally mixing popular libraries with a small number of malicious packages to blend into normal dependency lists.
- Security teams and enterprises focused on cryptocurrency: attackers are explicitly aiming to access crypto wallets and funds, using Vercel-hosted exfiltration endpoints and C2 servers like csec-c2-server.onrender[.]com. The actors have demonstrated the ability to adapt payload delivery — from obfuscated JS to Rust-based add-ons and SSH backdoors — and have used infrastructure overlaps to pivot between campaigns.
- Job-seeking developers and hiring teams: fake companies named Veltrix Capital, Blockmerce, and Bridgers Finance have been used as part of social-engineering lures. Code assessment artifacts and download instructions from those profiles should be treated as potential vectors for malicious dependency inclusion.
ReversingLabs concludes that Famous Chollima is "leveraging AI-generated code and a layered package strategy to evade detection and more effectively deceive automated coding assistants than human developers." The campaign's blend of AI-assisted commits, transitive dependency abuse, fake corporate infrastructure, and upgraded RAT tooling marks a clear evolution in technique — and raises a pointed operational question: will package registries and code-hosting platforms change how they validate and trace resolved dependency sources before the next wave of samples appears?
