Mexc
North Korean Malware Targets Crypto Developers via NPM Packages
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A malicious npm package named @validate-sdk/v2, introduced through Anthropic’s Claude Opus AI model, has been linked to a breach in the open-source crypto trading project openpaw-graveyard. This malware, dubbed PromptMink, allows hackers to access users' crypto wallets and system keys. The attack was attributed to the North Korean state-sponsored group Famous Chollima, which has been deploying malicious npm packages since September 2025. Their strategy involves a two-layer approach, where initial 'bait' packages contain no harmful code, while second-layer packages deliver the payload. The PromptMink malware has evolved from a simple JavaScript infostealer to stealthy Rust payloads. Once installed, it steals sensitive information, including wallet credentials and project source code, and implants SSH keys for persistent access. This incident highlights a growing trend of supply chain attacks targeting developers through AI-generated code.
Key Points: • Malicious npm package @validate-sdk/v2 compromises crypto wallets via PromptMink malware. • Famous Chollima, a North Korean hacking group, employs a two-layer strategy for attacks. • PromptMink malware has evolved into stealthy Rust payloads, enhancing its effectiveness.