An open-source crypto trading project received a malicious npm package called @validate-sdk/v2 after Anthropic’s Claude Opus AI model made it a dependency. This gave hackers access to users’ crypto wallets and funds.
Security researchers from ReversingLabs (RL) found the breach in the openpaw-graveyard project, which is an autonomous crypto trading agent hosted on npm. They called it PromptMink.
The bad commit was made on February 28, 2026. ReversingLabs says that the package pretends to be a tool for checking data but really steals secrets from the host environment.
North Korean hackers linked to PromptMink malware
ReversingLabs said that the attack came from Famous Chollima, a North Korean state-sponsored threat group.
The group has been spreading malicious npm packages since at least September 2025. They have been improving a two-layer strategy that is meant to trick both human devs and AI coding assistants.
The first layer is made up of packages that don’t have any malicious code. These “bait” packages, like @solana-launchpad/sdk and @meme-sdk/trade, seem like real tools for crypto developers.
They list a few second-layer packages that carry the actual payload, along with popular npm packages like axios and bn.js as dependencies.
When the second-layer packages are reported and taken down from npm, the attackers just put in a new one without losing the reputation they’ve built around the bait packages.
ReversingLabs says that when @hash-validator/v2 was taken off of npm, the attackers released @validate-sdk/v2 the same day with the same version number and source code.
AI agents are more susceptible to hacks than humans
Security researchers stated that Famous Chollima’s method seems more suited to taking advantage of AI coding assistants than human developers. The group writes long, detailed documentation for its malicious packages, which researchers call “LLM Optimization abuse.”
The goal is to make packages look real enough that AI agents will suggest and install them without any problems. The infected packages were “vibe-coded” by generative AI tools. Leftover LLM responses are visible in the file comments.
Since late 2025, the PromptMink malware has taken on many different forms.
It started as a simple JavaScript infostealer, then grew into big single-executable applications, and now comes as compiled Rust payloads that are made to be stealthy, according to ReversingLabs.
When the malware is installed, it looks for configuration files related to crypto, steals wallet credentials and system information, compresses and sends project source code to itself, and drops SSH keys on Linux and Windows machines so it can always access them remotely.
The PromptMink campaign is not the only recent attack targeting crypto developers through package managers.
Last month, Cryptopolitan reported on GhostClaw, a malware that targeted the OpenClaw community through a fake npm installer. It harvested crypto wallet data, macOS Keychain passwords, and AI platform API tokens from 178 developers before removal from the npm registry.
PromptMink and GhostClaw use social engineering as an entry point and target developers working in crypto and Web3. What makes PromptMink different is that it targets AI coding agents and uses them as the attack path.
