Full Report
Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic's Claude Opus large language model (LLM). The package in question is "@validate-sdk/v2," which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. However, its real
Analysis Summary
# Threat Actor: Famous Chollima
## Attribution & Identity
* **Actor Name:** Famous Chollima
* **Aliases:** Shifty Corsair
* **Associated Groups:** DPRK (North Korean) state-sponsored threat actor
* **Known Campaigns:** Contagious Interview, fraudulent IT Worker scams (linked to OFAC-sanctioned networks).
## Activity Summary
The actor is currently conducting a campaign codenamed **PromptMink**. This campaign involves the creation of malicious npm and PyPI packages designed to steal cryptocurrency and sensitive credentials. A notable aspect of this operation is "vibe-coding," where the actor uses generative AI (specifically Anthropic’s Claude Opus) to write or commit malicious code. In one instance, a malicious dependency was co-authored by the LLM and merged into an autonomous trading agent.
## Tactics, Techniques & Procedures
* **Phased Supply Chain Attack:** Uses a multi-layer approach where the first layer (benign bait) imports a second-layer package containing the actual malicious logic.
* **AI-Assisted Development:** Utilizing LLMs (Claude Opus) to generate "vibe-coded" malicious software and co-author commits.
* **Transitive Dependency Exploitation:** Injecting malicious code through deep dependency chains to evade direct inspection.
* **Typosquatting:** Creating packages with names and descriptions that mimic legitimate, popular libraries.
* **Functional Mimicry:** Shadowing legitimate functions from popular packages (like `axios` or `bn.js`) with malicious versions.
* **Social Engineering:** Targeting developers of autonomous AI agents and cryptocurrency trading platforms.
* **Cross-Platform Targeting:** Expanding from npm (JavaScript) to PyPI (Python).
## Targeting
* **Sectors:** Cryptocurrency, Blockchain, AI Development, Decentralized Finance (DeFi).
* **Geography:** Global (targeting open-source package registries).
* **Victims:** Users of the Solana blockchain, developers of autonomous AI trading agents, and users of the Tapestry Protocol, Bankr, and Moltbook platforms.
## Tools & Infrastructure
* **Malware:** Cryptocurrency stealers and credential harvesters.
* **Malicious npm Packages:**
* `@validate-sdk/v2`
* `@solana-launchpad/sdk`
* `@meme-sdk/trade`
* `@validate-ethereum-address/core`
* `@solmasterv3/solana-metadata-sdk`
* `@pumpfun-ipfs/sdk`
* `@solana-ipfs/sdk`
* `@hash-validator/v2`
* `openpaw-graveyard`
* **Malicious PyPI Packages:**
* `scraper-npm`
* **Infrastructure:**
* `moltbook[.]com`
* `usetapestry[.]dev` (Targeted/Impersonated protocol)
* `bankr[.]bot`
## Implications
This campaign represents an evolution in North Korean cyber operations, specifically the integration of Generative AI to accelerate malware development and increase the perceived legitimacy of malicious code. By targeting "autonomous AI agents," the actors are exploiting a nascent and rapidly growing sector where security auditing may be less mature than in traditional financial software. This poses a significant risk to the automated cryptocurrency trading ecosystem.
## Mitigations
* **Supply Chain Validation:** Implement strict software composition analysis (SCA) to identify transitive dependencies.
* **Dependency Pinning:** Use lockfiles (e.g., `package-lock.json`) and audit all new dependencies before updates.
* **Credential Management:** Use hardware security modules (HSMs) or cold storage for cryptocurrency private keys to prevent automated theft via leaked environment variables.
* **AI Code Review:** Increase scrutiny on code generated or assisted by LLMs, as they can be manipulated into suggesting malicious dependencies.
* **Network Monitoring:** Monitor for unauthorized outbound connections from development environments to unknown C2 domains or suspicious API endpoints.