Threat Research

Claude adds malware to crypto agent

Reversinglabs
Claude adds malware to crypto agent
ReversingLabs researchers uncovered a supply-chain campaign dubbed PromptMink in which a malicious npm package @validate-sdk/v2 (and related packages) was introduced as a dependency—often via AI-generated commits—and exfiltrated secrets and crypto wallet access. The campaign is attributed to the North Korean-linked group Famous Chollima and uses multilayered bait-and-payload packages, obfuscation/SEA binaries, Rust N-API addons, and SSH backdoors to persist and exfiltrate data. #PromptMink #FamousChollima

Keypoints

  • ReversingLabs discovered malicious code in @validate-sdk/v2 that exfiltrates environment secrets and was introduced as a dependency in an autonomous crypto trading agent commit co-authored by an LLM.
  • The campaign uses a two-layer strategy: legitimate-looking first-layer “bait” packages that import disposable second-layer malicious payload packages to maintain reputation while swapping payloads when detected.
  • PromptMink evolved across multiple payload forms (obfuscated JS, SEA binaries, PyPI Python package, and Rust N-API compiled addons) to improve stealth, cross-platform capability, and exfiltration scope.
  • Malware functionality includes recursive scanning for .env/.json files, collecting system/user info, compressing and exfiltrating projects, and dropping SSH public keys to enable remote access.
  • Obfuscation, typosquatting, and embedding payloads in large executables were used to evade detection and to trick AI coding agents into recommending or adding malicious dependencies.
  • ReversingLabs links the campaign to Famous Chollima based on infrastructure, targeting of Web3/trading tools, similarity to prior DPRK campaigns, and operational patterns across many packages and domains.
  • Defensive recommendations include static analysis of all dependencies, integrating curated threat data into LLM coding agents, CI/CD monitoring, and using tools like Spectra Assure Community to detect malicious packages.

MITRE Techniques

  • [T1195 ] Supply Chain Compromise – Malicious dependency introduced into open-source projects to compromise builds and downstream users (‘a tainted package that was introduced in a Feb. 28 commit to an autonomous trading agent’)
  • [T1036 ] Masquerading – Use of typosquatting and names/descriptions that mimic legitimate packages to deceive users and tooling (‘Typosquatting — or using names and descriptions that mimic legitimate, popular packages (e.g. validator)’)
  • [T1027 ] Obfuscated Files or Information – JS payloads and binaries obfuscated and LLM-assisted to evade detection (‘obfuscated JS infostealer with a base64 encoded exfiltration URL’)
  • [T1552.001 ] Credentials In Files – Scanning and stealing credentials/secrets from local environment files like .env and .json (‘infostealer scans the current working directory recursively for any .env or .json files and collects them for exfiltration’)
  • [T1083 ] File and Directory Discovery – Recursive directory enumeration to locate sensitive project files and environment files for collection (‘recursive walk through directories and collection of sensitive files’)
  • [T1005 ] Data from Local System – Collection of files and project source code for exfiltration, including zipping entire projects in later payloads (‘zipping and exfiltrating entire projects, including source code’)
  • [T1082 ] System Information Discovery – Gathering basic user/system info such as OS, IPs, and username (‘Collecting and exfiltrating basic user info (OS, public and local IPs, username)’)
  • [T1098 ] Account Manipulation – Adding attacker SSH public keys to victim authorized_keys to enable remote access (‘added their public SSH key to the victim’s ~/.ssh/authorized_keys file, granting them remote access via an SSH session’)
  • [T1567 ] Exfiltration Over Web Service – Exfiltration of collected data to web endpoints and domains used as C2/exfil endpoints (‘C2 infrastructure — typically using endpoints /api/validate/files, /api/validate/project-env, /api/validate/system-info to exfiltrate user data’)

Indicators of Compromise

  • [IP Addresses ] C2 and hosting infrastructure – 45[.]61[.]161[.]146, 45[.]8[.]22[.]144, and additional IPs (several more used across the campaign)
  • [Domains ] C2/exfiltration and malicious hosts – validator[.]uno, ipfs-url-validator[.]vercel[.]app, mywalletsss[.]store, and 20+ other domains tied to the campaign
  • [C2 Endpoints ] Exfiltration API paths – /api/validate/files, /api/validate/project-env, /api/validate/system-info (used to receive stolen files and system info)
  • [Package Names ] Malicious npm/PyPI packages used in campaign – @validate-sdk/v2, @solana-launchpad/sdk, openpaw-graveyard, scraper-npm (PyPI), and ~60 other unique packages involved across the campaign
  • [File Hashes ] Malicious PyPI package SHA1 examples – ae4fe9f9a4f099de9132eb3346abcdd96dbeb39d, e79ce589913bb8c5743bf0e55e075e2260c7a915 (scraper-npm 1.0.4), plus other hashes reported

Read more: https://www.reversinglabs.com/blog/claude-promptmink-malware-crypto

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint