North Korean 'PromptMink' Campaign Uses AI-Inserted npm Malware to Steal Cryptocurrency

Cybersecurity researchers at ReversingLabs have uncovered a sophisticated North Korean threat-actor campaign, dubbed PromptMink, that leverages malicious npm packages to steal cryptocurrency from developers. The campaign, linked to the infamous Famous Chollima group (also known as Shifty Corsair), marks a significant evolution in supply-chain attacks targeting the Web3 ecosystem. The malicious package @validate-sdk/v2 was uploaded to npm in October 2025 and was introduced as a dependency in a February 2026 commit co-authored by Anthropic's Claude Opus large language model (LLM), according to a report shared with The Hacker News.

The attack employs a multi-layer dependency chain to evade detection. First-layer packages, such as @solana-launchpad/sdk, @meme-sdk/trade, and @validate-ethereum-address/core, appear benign and implement legitimate cryptocurrency-related functionality. However, they import second-layer packages that contain the actual malicious code. If the second-layer packages are detected and removed from npm, the attackers swiftly replace them with new ones, ensuring the campaign's persistence. The malware exfiltrates cryptocurrency wallet credentials and funds from compromised systems.

The PromptMink campaign has evolved significantly since its inception. Early versions were obfuscated JavaScript-based stealers that scanned the current working directory for .env or .json files and exfiltrated them to a Vercel URL. Later iterations shifted to using Node.js single executable applications (SEA), but the payload size grew from 5.1KB to 85MB, prompting the attackers to adopt NAPI-RS to create pre-compiled Node.js add-ons in Rust. The malware now targets Windows, Linux, and macOS systems, and has been observed establishing persistent remote access via SSH and exfiltrating entire projects containing source code and intellectual property.

The campaign also extends to the Python Package Index (PyPI), where the malicious package scraper-npm was uploaded in February 2026 with similar functionality. ReversingLabs noted that the threat actors employ typosquatting and mimic legitimate library names and descriptions to evade detection. The first package version published as part of this campaign dates back to September 2025, when @hash-validator/v2 was uploaded to npm. The decision to split the cryptocurrency stealer into two parts—a benign bait that downloads the actual malware—has helped conceal the true scale of the attack.

The PromptMink campaign is part of a broader pattern of North Korean threat actors targeting the open-source ecosystem. Famous Chollima is also behind the long-running Contagious Interview campaign and the fraudulent IT Worker scam. The group's use of AI-generated code and a layered package strategy demonstrates a sophisticated understanding of modern software development practices and a determination to deceive both human developers and automated coding assistants.

In a related development, SafeDep has discovered a malicious npm package named express-session-js linked to the Contagious Interview campaign. This package acts as a conduit for a dropper that fetches a second-stage obfuscated payload from JSON Keeper, a paste service, deploying a full Remote Access Trojan (RAT) and information stealer capable of browser credential theft, crypto wallet extraction, screenshot capture, clipboard monitoring, keylogging, and remote mouse/keyboard control.

The PromptMink campaign underscores the growing threat of supply-chain attacks in the cryptocurrency and Web3 sectors. As developers increasingly rely on open-source packages and AI-assisted coding tools, the risk of malicious code being introduced through seemingly legitimate dependencies continues to rise. Organizations and individual developers are urged to carefully vet all dependencies, monitor for suspicious packages, and implement robust security practices to protect against these evolving threats.