Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/AI-Generated Commit Injects PromptMink Malware into Crypto Trading Agent
Threats

AI-Generated Commit Injects PromptMink Malware into Crypto Trading Agent

Key Takeaways A sophisticated supply chain attack, dubbed PromptMink, has been discovered injecting malware into open-source crypto trading projects. The attack leverages AI coding assistant Claude...

Emy Elsamnoudy
Emy Elsamnoudy
April 30, 2026 4 Min Read
47 0

Key Takeaways

  • A sophisticated supply chain attack, dubbed PromptMink, has been discovered injecting malware into open-source crypto trading projects.
  • The attack leverages AI coding assistant Claude Opus to co-author commits that introduce malicious dependencies.
  • The PromptMink malware, primarily delivered via the @validate-sdk/v2 npm package, exfiltrates sensitive credentials and, in Linux environments, establishes persistent SSH backdoors.
  • The campaign, active for over seven months, is attributed to the North Korean-linked threat group Famous Chollima.
  • No immediate fix is available for already compromised systems, but vigilance in reviewing AI-generated code and new dependencies is crucial.

AI Co-Authored Commit Introduces PromptMink Malware into Crypto Trading Agents

A new, highly concerning supply chain attack has been identified, where the AI coding assistant Claude Opus was exploited to facilitate the injection of PromptMink malware into open-source crypto trading projects. This marks a significant evolution in how threat actors are weaponizing AI tools to compromise software development ecosystems, as detailed by security researchers at ReversingLabs.

Table Of Content

  • Key Takeaways
  • AI Co-Authored Commit Introduces PromptMink Malware into Crypto Trading Agents
  • Anatomy of the Attack: AI-Assisted Dependency Injection
  • Sophisticated Evasion: The Two-Layered Approach
  • Infection Mechanism: Inside the PromptMink Payload
  • What You Should Do

The malicious activity centers around a series of npm packages collectively known as PromptMink. The campaign gained notoriety when a commit, partially generated by Anthropic’s Claude Opus large language model, introduced this malware into an autonomous crypto trading project.

Anatomy of the Attack: AI-Assisted Dependency Injection

The incident unfolded on February 28, 2026, when a commit was submitted to the openpaw-graveyard npm package, a component of an autonomous crypto trading agent. This commit ostensibly added a benign dependency, @solana-launchpad/sdk. However, this initial package served as a Trojan horse, silently pulling in a secondary, truly malicious dependency: @validate-sdk/v2.

While masquerading as a legitimate data validation utility, the @validate-sdk/v2 package secretly harvests sensitive credentials from the compromised host environment. These stolen details are then transmitted to an attacker-controlled server, with the ultimate objective of gaining unauthorized access to users’ cryptocurrency wallets and funds. The crucial element enabling this stealthy injection was the commit itself, co-authored by Claude Opus.

ReversingLabs researchers initiated their investigation after tracking suspicious iterations of the @validate-sdk/v2 npm package since October 2025. Their comprehensive analysis led to the naming of the campaign as PromptMink and its attribution to Famous Chollima, a North Korean-linked threat group. This same group was previously implicated in the “Contagious Interview” campaign, which used deceptive job interviews and coding assessments to deliver malicious packages to unsuspecting developers.

Sophisticated Evasion: The Two-Layered Approach

The PromptMink campaign employs a deliberate two-tiered structure designed to bypass automated security inspections. The initial layer consists of seemingly innocuous packages that are devoid of malicious code. These “bait” packages are meticulously crafted to emulate trusted development tools, complete with convincing documentation, thereby appealing to both human developers and AI coding assistants.

The actual malicious payload resides within the second layer: smaller, frequently updated packages that the first-layer dependency silently imports. When a developer or an AI agent integrates the first-layer package, the harmful second-layer component is automatically installed without any overt indication. This modular approach allows threat actors to easily replace compromised second-layer packages with new versions under different names, maintaining their malicious functionality even if a specific package is detected and removed.

The campaign has been active for over seven months, with attackers continuously publishing updated package versions. More than 60 unique malicious packages have been observed across over 300 versions, indicating ongoing and persistent activity.

Infection Mechanism: Inside the PromptMink Payload

Upon successful deployment, the @validate-sdk/v2 package initiates a comprehensive scan of the developer’s system. It targets environment files, JSON configuration files, API keys, and any data pertinent to cryptocurrency transactions or wallet access. The collected data is compressed and covertly exfiltrated to an attacker-controlled server. Early versions of the package employed base64-encoded URLs to obscure the destination, while later iterations shifted to dedicated domains to complicate tracking efforts.

As the campaign evolved, the threat actors enhanced the payload with more dangerous capabilities. On Linux-based systems, the malware embeds the attacker’s public SSH key into the victim’s authorized_keys file, thereby establishing a persistent backdoor for remote access, even if the original malicious package is subsequently removed. On Windows systems, the focus remains primarily on file exfiltration. More recent versions, rewritten in Rust, further expanded their capabilities to compress and steal entire project directories, including full source code, suggesting intellectual property theft as an additional objective.

What You Should Do

  • Scrutinize AI-Generated Code: Treat all AI-generated code commits, especially those introducing new dependencies, with extreme caution and subject them to rigorous human review before merging.
  • Verify New Dependencies: Always verify the legitimacy and integrity of new packages through trusted registries and thoroughly inspect them for any unexpected behaviors or permissions.
  • Monitor Outbound Network Connections: Implement robust network monitoring in development environments to detect unusual outbound connections that could signal data exfiltration.
  • Audit SSH Authorized Keys: Regularly audit SSH authorized_keys files on Linux systems for any unauthorized or suspicious entries that could indicate a persistent backdoor.
  • Implement Supply Chain Security Tools: Utilize software supply chain security tools to scan for known vulnerabilities and malicious packages within your dependencies.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

CISA Warns of ConnectWise ScreenConnect Vulnerability Exploited in Attacks

Next Post

CVE MCP Server Enhances Claude with 27 Security Tools and 21 APIs

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us