North Korean Malware Targets Crypto Developers via NPM Packages

North Korean Malware Targets Crypto Developers via NPM Packages

First seen 1 May 2026, 05:35 UTC CybersecuritynewsMexcPanewslabCryptopolitanCsoonline+1 84% similarity 74.9

Article Content

Browse articles
ThreatCluster

A malicious npm package named @validate-sdk/v2, introduced through Anthropic’s Claude Opus AI model, has been linked to a breach in the open-source crypto trading project openpaw-graveyard. This malware, dubbed PromptMink, allows hackers to access users' crypto wallets and system keys. The attack was attributed to the North Korean state-sponsored group Famous Chollima, which has been deploying malicious npm packages since September 2025. Their strategy involves a two-layer approach, where initial 'bait' packages contain no harmful code, while second-layer packages deliver the payload. The PromptMink malware has evolved from a simple JavaScript infostealer to stealthy Rust payloads. Once installed, it steals sensitive information, including wallet credentials and project source code, and implants SSH keys for persistent access. This incident highlights a growing trend of supply chain attacks targeting developers through AI-generated code.

Key Points: • Malicious npm package @validate-sdk/v2 compromises crypto wallets via PromptMink malware. • Famous Chollima, a North Korean hacking group, employs a two-layer strategy for attacks. • PromptMink malware has evolved into stealthy Rust payloads, enhancing its effectiveness.

ThreatCluster AI

Timeline

2025-09-01
Famous Chollima begins distributing malicious npm packages.
2026-02-28
Malicious commit introducing @validate-sdk/v2 made.
2026-05-01
ReversingLabs reports on PromptMink malware and its impact.

Community

Browse all →