New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs

Summary

North Korean threat actor Famous Chollima has launched a sophisticated supply chain attack called PromptMink, embedding malicious code into legitimate-looking npm packages targeting Web3 developers. The campaign uses AI-generated code, typosquatting, and a two-layer dependency structure to evade detection and steal cryptocurrency wallet credentials and SSH access. The attack has evolved from JavaScript stealers to Rust-compiled payloads capable of deploying persistent backdoors across Windows, Linux, and macOS systems.

Full text

New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs Ravie LakshmananApr 29, 2026Malware / Social Engineering Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic's Claude Opus large language model (LLM). The package in question is "@validate-sdk/v2," which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. However, its real functionality is to plunder sensitive secrets from the compromised environment. The package, which shows signs of being vibe-coded using generative artificial intelligence (AI), was first uploaded to the repository in October 2025. The malware campaign has been codenamed PromptMink by ReversingLabs, which linked the activity as part of a broader campaign mounted by the North Korean threat actor known as Famous Chollima (aka Shifty Corsair), which is behind the long-running Contagious Interview campaign and the fraudulent IT Worker scam. "The new malware campaign [...] involves a tainted package that was introduced in a Feb. 28 commit to an autonomous trading agent," ReversingLabs researcher Vladimir Pezo said in a report shared with The Hacker News. "The commit was co-authored by Anthropic's Claude Opus large language model (LLM). It allows attackers to access users' crypto wallets and funds." The package is listed as a dependency for an another npm package named "@solana-launchpad/sdk," which, in turn, is used by a third package called "openpaw-graveyard," which is described as an "autonomous AI agent" that creates a social on-chain identity on the Solana blockchain using the Tapestry Protocol, trades cryptocurrency via Bankr, as well as interacts with other agents on Moltbook. ReversingLabs said the AI agent-generated package was added as a dependency in a source code commit made in February 2026, causing the agent package to execute malicious code and give attackers access via leaked credentials to the victim's cryptocurrency wallets and funds. The attack adopts a phased approach, where the first-layer packages do not contain any malicious code, but import second-layer packages that actually embed the nefarious functionality. Should the second cluster be detected or removed from npm, they are swiftly replaced. Some of the first-layer packages identified are listed below - @solana-launchpad/sdk @meme-sdk/trade @validate-ethereum-address/core @solmasterv3/solana-metadata-sdk @pumpfun-ipfs/sdk @solana-ipfs/sdk "They implement some functionality related to cryptocurrencies," ReversingLabs explained. "And each package lists many dependencies, most of which are popular npm packages with download counts in the millions and billions, like axios, bn.js etc. However, a small number of the dependencies are malicious packages from the second layer." The threat actors employ various techniques to help the rogue packages escape detection. These include creating a malicious version of the functions already present in the listed popular packages. Another technique uses typosquatting, where the names and descriptions mimic legitimate libraries. The first package version published to npm as part of this campaign dates back to September 2025, when "@hash-validator/v2" was uploaded to the registry. The decision to split the cryptocurrency stealer into two parts – a benign bait that downloads the actual malware – may have helped it evade detection and help conceal the true scale of the attack. It's worth noting that some aspects of the activity were documented by JFrog two months later, highlighting the threat actor's use of transitive dependencies to execute malicious code on developer systems and siphon valuable data. In the intervening months, the campaign has undergone various transformations, even targeting the Python Package Index (PyPI) by pushing a malicious package ("scraper-npm") with the same functionality in February 2026. As recently as last month, threat actors have been observed establishing persistent remote access via SSH and using Rust-compiled payloads to exfiltrate entire projects containing source code and other intellectual property from compromised systems. Early versions of the malware were obfuscated JavaScript-based stealers that scan the current working directory recursively for .env or .json files and stage for exfiltration to a Vercel URL ("ipfs-url-validator.vercel.app"), a platform repeatedly abused by Famous Chollima in its campaigns. While subsequent iterations came embedded with PromptMink in the form of a Node.js single executable application (SEA), it also suffered from a notable disadvantage in that it caused the payload size to grow from a mere 5.1KB to around 85MB.This is said to have caused the threat actors to shift to using NAPI-RS to create pre-compiled Node.js add-ons in Rust. The evolution of the malware from a simple infostealer to a specialized multi-platform harvester targeting Windows, Linux, and macOS capable of dropping SSH backdoors and gathering entire projects demonstrates North Korean threat actors' continued targeting of the open-source ecosystem to target developers in the Web3 space. Famous Chollima is "leveraging AI-generated code and a layered package strategy to evade detection and more effectively deceive automated coding assistants than human developers," ReversingLabs added. Contagious Trader Emerges The findings coincide with the discovery of a malicious npm package named "express-session-js" that's believed to be linked to the Contagious Interview campaign, with the library acting as a conduit for a dropper that fetches a second-stage obfuscated payload from JSON Keeper, a paste service. "Static deobfuscation of the stage-2 payload reveals a full Remote Access Trojan (RAT) and information stealer that connects to 216[.]126[.]237[.]71 via Socket.IO, with capabilities including browser credential theft, crypto wallet extraction, screenshot capture, clipboard monitoring, keylogging, and remote mouse/keyboard control," SafeDep noted this month. Interestingly, the use of legitimate packages like "socket.io-client" for command-and-control (C2) communication, "screenshot-desktop" for screen capture, "sharp" for image compression, and "clipboardy" for clipboard access overlaps with that of OtterCookie, a known stealer malware attributed to the campaign. What's novel this time around is the addition of the "@nut-tree-fork/nut-js" package for mouse and keyboard control, suggesting broader attempts to upgrade the RAT capabilities to facilitate interactive control of infected hosts. OtterCookie deployment chain OtterCookie, for its part, has witnessed a maturation of its own, getting distributed via a trojanized open-source 3D chess project hosted on Bitbucket and malicious npm packages like "gemini-ai-checker," "express-flowlimit," and "chai-extensions-extras." A third method has employed a Matryoshka Doll approach as part of a campaign dubbed Contagious Trader. The attack begins with the download of a benign wrapper package (e.g., "bjs-biginteger"), which then proceeds to download a malicious dependency (e.g., "bjs-lint-builder") and ultimately install the stealer. Overlaps between Contagious Interview, Contagious Trader, and graphalgo "The recent campaigns orchestrated by Shifty Corsair demonstrate the escalating threat of DPRK state-aligned cyber operations," BlueVoyant researcher Curt Buchanan said. "Their rapid evolution, from static Obfuscator.io encoding to dynamically rotating custom obfuscation, and their abuse of Vercel-hosted C2 infrastructure, demonstrates a maturation in their operational capabilities." Graphalgo Uses Fake Companies to Drop RAT The development is significant as the threat actor has been simultaneously linked to another ongoing campaign dubbed graphalgo that lures developers using fake companies and leverages fake job interviews and coding tests to deliver malicious

Indicators of Compromise

• domain — ipfs-url-validator.vercel.app
• ip — 216.126.237.71
• malware — PromptMink
• malware — express-session-js
• malware — scraper-npm

Entities