Best crypto insights delivered straight to your inbox.
- A threat group planted a malicious npm package in a crypto trading project through an AI-generated commit by Anthropic’s Claude.
- The malware steals crypto wallet credentials and system secrets using a two-layer package strategy.
- Developers using AI agents to write code should manually review any commits that add new dependencies.
An open-source crypto trading project received a malicious npm package called @validate-sdk/v2 after Anthropic’s Claude Opus AI model made it a dependency. This gave hackers access to users’ crypto wallets and funds.
Security researchers from ReversingLabs (RL) found the breach in the openpaw-graveyard project, which is an autonomous crypto trading agent hosted on npm. They called it PromptMink.
The bad commit was made on February 28, 2026. ReversingLabs says that the package pretends to be a tool for checking data but really steals secrets from the host environment.
North Korean hackers linked to PromptMink malware
ReversingLabs said that the attack came from Famous Chollima, a North Korean state-sponsored threat group.
The group has been spreading malicious npm packages since at least September 2025. They have been improving a two-layer strategy that is meant to trick both human devs and AI coding assistants.
The first layer is made up of packages that don’t have any malicious code. These “bait” packages, like @solana-launchpad/sdk and @meme-sdk/trade, seem like real tools for crypto developers.
They list a few second-layer packages that carry the actual payload, along with popular npm packages like axios and bn.js as dependencies.
When the second-layer packages are reported and taken down from npm, the attackers just put in a new one without losing the reputation they’ve built around the bait packages.
ReversingLabs says that when @hash-validator/v2 was taken off of npm, the attackers released @validate-sdk/v2 the same day with the same version number and source code.
AI agents are more susceptible to hacks than humans
Security researchers stated that Famous Chollima’s method seems more suited to taking advantage of AI coding assistants than human developers. The group writes long, detailed documentation for its malicious packages, which researchers call “LLM Optimization abuse.”
The goal is to make packages look real enough that AI agents will suggest and install them without any problems. The infected packages were “vibe-coded” by generative AI tools. Leftover LLM responses are visible in the file comments.
Since late 2025, the PromptMink malware has taken on many different forms.
It started as a simple JavaScript infostealer, then grew into big single-executable applications, and now comes as compiled Rust payloads that are made to be stealthy, according to ReversingLabs.
When the malware is installed, it looks for configuration files related to crypto, steals wallet credentials and system information, compresses and sends project source code to itself, and drops SSH keys on Linux and Windows machines so it can always access them remotely.
The PromptMink campaign is not the only recent attack targeting crypto developers through package managers.
Last month, Cryptopolitan reported on GhostClaw, a malware that targeted the OpenClaw community through a fake npm installer. It harvested crypto wallet data, macOS Keychain passwords, and AI platform API tokens from 178 developers before removal from the npm registry.
PromptMink and GhostClaw use social engineering as an entry point and target developers working in crypto and Web3. What makes PromptMink different is that it targets AI coding agents and uses them as the attack path.
If you're reading this, you’re already ahead. Stay there with our newsletter.
FAQs
What is PromptMink?
PromptMink is a malware campaign in which a malicious npm package disguised as a data validation tool steals cryptocurrency wallet credentials, and other system secrets.
Who is behind the PromptMink attack?
The group behind the PromptMink attack is Famous Chollima, a state-sponsored threat group linked to North Korea.
How did the malicious package end up in the crypto trading project?
The @validate-sdk/v2 package was added as a dependency through a commit to the openpaw-graveyard project that was co-authored by Anthropic's Claude Opus AI model. It was tricked into recommending the package by the attackers' deceptive documentation.
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.
Randa Moses
Randa Moses is an editor and reporter at Cryptopolitan covering tech, AI, robotics, crypto, scams, and hacks. She has worked in the crypto space since 2017. She held roles at Forward Protocol, AmaZix, and Cryptosomniac. Randa holds a degree in Electrical and Electronics Engineering from the University of Bradford.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)