Famous Chollima used Claude Opus to push PromptMink

Security researchers at ReversingLabs found that an open-source crypto trading agent on npm, openpaw-graveyard, received a malicious dependency on Feb. 28, 2026. The dependency, published as @validate-sdk/v2, was introduced after Anthropic’s Claude Opus model added it to the project. The injected component carried PromptMink malware that harvested wallet credentials and other secrets from infected systems.

ReversingLabs identified the activity as a campaign operated by Famous Chollima, a North Korean state-linked threat group. The injected package appeared to be a data validation tool but contained code that collected crypto wallet configuration files, system information and authentication tokens. When the dependency was installed in a developer environment or pulled into an automated coding workflow, routines compressed source code, exfiltrated files to attacker infrastructure, stole wallet keys and installed persistent access by dropping SSH keys on Linux and Windows systems.

The researchers described a two-layer distribution strategy. The first layer uses benign-looking “bait” packages with documentation and release histories designed to build trust. Those packages list a small number of second-layer dependencies that carry the malicious payload. When a second-layer package is removed from the registry, the operators publish a replacement with the same version number and similar code to preserve the bait package’s reputation.

ReversingLabs found that the group adapted its tooling to target AI coding assistants. The attackers produced long documentation and left traces of generative-AI output in comments and files, a practice the researchers labeled LLM Optimization abuse. PromptMink payloads have evolved from simple JavaScript infostealers to single-executable programs and, more recently, compiled Rust binaries intended to be harder to detect.

The campaign targeted configuration files and developer environments used in crypto projects, exfiltrating credentials and installing backdoors for long-term access. The researchers noted rapid replacement of removed components, with @validate-sdk/v2 appearing on the same day a previous payload package was taken down.

ReversingLabs recommended that development teams and operators of automated coding agents audit newly added dependencies, verify package ownership and inspect source code rather than relying only on documentation or registry metadata. The researchers also advised restricting the privileges granted to automated agents and preventing unreviewed dependency additions for projects that handle cryptocurrency keys and other sensitive credentials.