AI-Generated Commit Injects PromptMink Malware into Crypto Trading Agent
Key Takeaways A sophisticated supply chain attack, dubbed PromptMink, has been discovered injecting malware into open-source crypto trading projects. The attack leverages AI coding assistant Claude...
Key Takeaways
- A sophisticated supply chain attack, dubbed PromptMink, has been discovered injecting malware into open-source crypto trading projects.
- The attack leverages AI coding assistant Claude Opus to co-author commits that introduce malicious dependencies.
- The PromptMink malware, primarily delivered via the
@validate-sdk/v2npm package, exfiltrates sensitive credentials and, in Linux environments, establishes persistent SSH backdoors. - The campaign, active for over seven months, is attributed to the North Korean-linked threat group Famous Chollima.
- No immediate fix is available for already compromised systems, but vigilance in reviewing AI-generated code and new dependencies is crucial.
AI Co-Authored Commit Introduces PromptMink Malware into Crypto Trading Agents
A new, highly concerning supply chain attack has been identified, where the AI coding assistant Claude Opus was exploited to facilitate the injection of PromptMink malware into open-source crypto trading projects. This marks a significant evolution in how threat actors are weaponizing AI tools to compromise software development ecosystems, as detailed by security researchers at ReversingLabs.
Table Of Content
The malicious activity centers around a series of npm packages collectively known as PromptMink. The campaign gained notoriety when a commit, partially generated by Anthropic’s Claude Opus large language model, introduced this malware into an autonomous crypto trading project.
Anatomy of the Attack: AI-Assisted Dependency Injection
The incident unfolded on February 28, 2026, when a commit was submitted to the openpaw-graveyard npm package, a component of an autonomous crypto trading agent. This commit ostensibly added a benign dependency, @solana-launchpad/sdk. However, this initial package served as a Trojan horse, silently pulling in a secondary, truly malicious dependency: @validate-sdk/v2.
While masquerading as a legitimate data validation utility, the @validate-sdk/v2 package secretly harvests sensitive credentials from the compromised host environment. These stolen details are then transmitted to an attacker-controlled server, with the ultimate objective of gaining unauthorized access to users’ cryptocurrency wallets and funds. The crucial element enabling this stealthy injection was the commit itself, co-authored by Claude Opus.
ReversingLabs researchers initiated their investigation after tracking suspicious iterations of the @validate-sdk/v2 npm package since October 2025. Their comprehensive analysis led to the naming of the campaign as PromptMink and its attribution to Famous Chollima, a North Korean-linked threat group. This same group was previously implicated in the “Contagious Interview” campaign, which used deceptive job interviews and coding assessments to deliver malicious packages to unsuspecting developers.
Sophisticated Evasion: The Two-Layered Approach
The PromptMink campaign employs a deliberate two-tiered structure designed to bypass automated security inspections. The initial layer consists of seemingly innocuous packages that are devoid of malicious code. These “bait” packages are meticulously crafted to emulate trusted development tools, complete with convincing documentation, thereby appealing to both human developers and AI coding assistants.
The actual malicious payload resides within the second layer: smaller, frequently updated packages that the first-layer dependency silently imports. When a developer or an AI agent integrates the first-layer package, the harmful second-layer component is automatically installed without any overt indication. This modular approach allows threat actors to easily replace compromised second-layer packages with new versions under different names, maintaining their malicious functionality even if a specific package is detected and removed.
The campaign has been active for over seven months, with attackers continuously publishing updated package versions. More than 60 unique malicious packages have been observed across over 300 versions, indicating ongoing and persistent activity.
Infection Mechanism: Inside the PromptMink Payload
Upon successful deployment, the @validate-sdk/v2 package initiates a comprehensive scan of the developer’s system. It targets environment files, JSON configuration files, API keys, and any data pertinent to cryptocurrency transactions or wallet access. The collected data is compressed and covertly exfiltrated to an attacker-controlled server. Early versions of the package employed base64-encoded URLs to obscure the destination, while later iterations shifted to dedicated domains to complicate tracking efforts.
As the campaign evolved, the threat actors enhanced the payload with more dangerous capabilities. On Linux-based systems, the malware embeds the attacker’s public SSH key into the victim’s authorized_keys file, thereby establishing a persistent backdoor for remote access, even if the original malicious package is subsequently removed. On Windows systems, the focus remains primarily on file exfiltration. More recent versions, rewritten in Rust, further expanded their capabilities to compress and steal entire project directories, including full source code, suggesting intellectual property theft as an additional objective.
What You Should Do
- Scrutinize AI-Generated Code: Treat all AI-generated code commits, especially those introducing new dependencies, with extreme caution and subject them to rigorous human review before merging.
- Verify New Dependencies: Always verify the legitimacy and integrity of new packages through trusted registries and thoroughly inspect them for any unexpected behaviors or permissions.
- Monitor Outbound Network Connections: Implement robust network monitoring in development environments to detect unusual outbound connections that could signal data exfiltration.
- Audit SSH Authorized Keys: Regularly audit SSH
authorized_keysfiles on Linux systems for any unauthorized or suspicious entries that could indicate a persistent backdoor. - Implement Supply Chain Security Tools: Utilize software supply chain security tools to scan for known vulnerabilities and malicious packages within your dependencies.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.