An emerging threat has infiltrated the software development sector, leveraging AI tools in a novel supply chain attack. This cunning campaign, named PromptMink, was detected within an open-source crypto trading project via a code commit co-authored by the AI model, Claude Opus.
This incident reflects a strategic shift in how cybercriminals exploit AI to embed malicious code within genuine development endeavors. The attack was initiated on February 28, 2026, involving a commit to the npm package, openpaw-graveyard, a crypto trading agent. The commit introduced the @solana-launchpad/sdk dependency, which discreetly integrated a harmful package, @validate-sdk/v2, masked as a data validation tool.
Uncovering the Threat
ReversingLabs researchers, who have been monitoring the suspicious @validate-sdk/v2 package since October 2025, were the first to expose this threat. They identified the operation as a coordinated supply chain attack by the North Korean-linked group, Famous Chollima. This group previously orchestrated the Contagious Interview campaign, targeting developers through deceptive job interviews to deploy harmful packages.
The PromptMink campaign utilizes a two-layer method to evade automated security checks. This involves distributing seemingly benign packages that lure developers and AI coding tools by imitating trusted resources. These first-layer packages then import second-layer malicious packages without detection, facilitating silent infiltration into development environments.
Attack Mechanisms and Implications
Upon installation, the @validate-sdk/v2 package searches directories for sensitive data, focusing on environment files, configuration data, and cryptocurrency-related information. These files are compressed and sent to an attacker-controlled server. Initial package versions used base64-encoded URLs to obscure the destination, while newer versions employ a dedicated domain to complicate tracking.
The threat actors have enhanced the malware with capabilities tailored to different operating systems. On Linux, the attacker’s SSH key is added to the victim’s authorized keys, enabling persistent access. On Windows, the malware focuses on exfiltrating sensitive files. Recent Rust-written versions extend this by stealing entire project directories, indicating an intent to commit intellectual property theft.
Defensive Measures for Developers
Developers and security teams are urged to scrutinize AI-generated code commits thoroughly, especially new dependencies. It’s crucial to validate packages via trusted sources and monitor for unusual network activities. Regular audits of SSH authorized keys files are recommended to detect unauthorized entries, which may signify a breach.
Stay informed on emerging threats by following us on Google News, LinkedIn, and X. Set CSN as a preferred source in Google for more updates.
