North Korean Malware Targets Crypto Developers via NPM Packages

Severity: High (Score: 74.9)

Sources: Panewslab, Mexc, www.reversinglabs.com, Cybersecuritynews, Cryptopolitan

Summary

A malicious npm package named @validate-sdk/v2, introduced through Anthropic’s Claude Opus AI model, has been linked to a breach in the open-source crypto trading project openpaw-graveyard. This malware, dubbed PromptMink, allows hackers to access users' crypto wallets and system keys. The attack was attributed to the North Korean state-sponsored group Famous Chollima, which has been deploying malicious npm packages since September 2025. Their strategy involves a two-layer approach, where initial 'bait' packages contain no harmful code, while second-layer packages deliver the payload. The PromptMink malware has evolved from a simple JavaScript infostealer to stealthy Rust payloads. Once installed, it steals sensitive information, including wallet credentials and project source code, and implants SSH keys for persistent access. This incident highlights a growing trend of supply chain attacks targeting developers through AI-generated code. Key Points: • Malicious npm package @validate-sdk/v2 compromises crypto wallets via PromptMink malware. • Famous Chollima, a North Korean hacking group, employs a two-layer strategy for attacks. • PromptMink malware has evolved into stealthy Rust payloads, enhancing its effectiveness.

Key Entities

• FAMOUS CHOLLIMA (apt_group)
• Malware (attack_type)
• Supply Chain Attack (attack_type)
• North Korea (country)
• cryptopolitan.com (domain)
• Technology (industry)
• GhostClaw (malware)
• PromptMink (campaign)
• T1003 - OS Credential Dumping (mitre_attack)
• T1021 - Remote Services (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1195 - Supply Chain Compromise (mitre_attack)
• JavaScript (tool)
• Npm (tool)
• Claude Opus AI Model (tool)
• Generative AI Tools (tool)
• Linux (platform)
• MacOS (platform)
• Rust (platform)
• Windows (platform)