Researchers discovered malicious code embedded in the npm package β@validate-sdk/v2β that acts as a credential and crypto-wallet stealer when introduced as a dependency to other projects. ReversingLabs calls the campaign PromptMink and links it to North Korean actor Famous Chollima, which leverages AI-generated code, layered dependencies, typosquatting and transitive-dependency tricks to deliver RATs and exfiltrate secrets. #PromptMink #FamousChollima
Keypoints
- A malicious npm package β@validate-sdk/v2β was used to plunder sensitive secrets and crypto-wallet credentials.
- ReversingLabs attributes the PromptMink campaign to North Korean actor Famous Chollima (Shifty Corsair), linking it to Contagious Interview/Trader activity.
- Attackers used AI-generated code (Anthropicβs Claude Opus) and a two-layer dependency strategy where benign first-layer packages pull malicious second-layer packages.
- The campaign abuses transitive dependencies, typosquatting, GitHub release artifacts and Vercel-hosted C2 to evade detection and persist.
- Related operations (OtterCookie, Contagious Trader, graphalgo) deploy RATs, steal AWS/GitHub keys and lure developers via fake companies and job interview scenarios.
Read More: https://thehackernews.com/2026/04/new-wave-of-dprk-attacks-uses-ai.html