North Korean APT37 Uses AI-Assisted Commit to Plant Malicious npm Package Targeting Crypto Wallets
ReversingLabs has uncovered a malicious npm package, @validate-sdk/v2, linked to North Korean threat actor Famous Chollima (APT37), which was added to an autonomous trading agent via an AI-assisted commit co-authored by Anthropic's Claude Opus model.
A malicious npm dependency linked to an AI-assisted code commit has been found stealing sensitive data and exposing crypto wallets. According to researchers at ReversingLabs, the package, disguised as a validation tool, enabled attackers to exfiltrate secrets from infected environments and access funds. The activity, tracked as PromptMink, involved the package @validate-sdk/v2, which was added to an autonomous trading agent in February 2026. The commit was reportedly co-authored by Anthropic's Claude Opus model.
Attribution points to North Korean state-sponsored actor Famous Chollima (also known as APT37 or Reaper), which has been active since 2018 and is known for targeting cryptocurrency developers. The group relied on a two-layer package strategy that separates legitimate-looking tools from hidden malicious payloads. Packages presented as useful Web3 utilities were used to attract adoption, while secondary dependencies quietly delivered the malware. This approach allowed attackers to maintain trust in widely visible components even as malicious elements were repeatedly replaced behind the scenes.
Across a seven-month period, the researchers tracked more than 60 packages and over 300 versions tied to the campaign, indicating sustained activity and refinement of delivery techniques. The use of an AI-assisted commit to introduce the malicious dependency marks a significant escalation in supply chain attacks, as attackers increasingly leverage large language models to craft code that appears legitimate to both human reviewers and automated security tools.
As the PromptMink campaign progressed, the underlying payload expanded well beyond simple credential theft. Early versions focused on harvesting sensitive files, but later iterations introduced broader capabilities that increased both impact and persistence. These included scanning directories for environment files and crypto-related data, collecting system information such as usernames and IP addresses, compressing entire project folders before exfiltration, and installing SSH keys to enable persistent remote access.
The malware also evolved technically, moving from JavaScript-based code to compiled binaries and Rust-based payloads. This shift improved evasion and allowed the same core functionality to operate across Linux and Windows environments. Evidence found in the code, including leftover prompts, suggests large language models (LLMs) were used in development. ReversingLabs noted that attackers are increasingly shaping malicious packages to appeal to AI coding assistants, extending supply chain risk into automated development workflows.
The discovery highlights the growing threat of AI-assisted supply chain attacks, where threat actors use generative AI to create convincing malicious code that can bypass traditional security measures. As autonomous agents and AI coding tools become more prevalent, the risk of such attacks is expected to increase, making it imperative for organizations to implement robust security practices for third-party dependencies and AI-generated code.