The campaign, named PromptMink by security researchers, centres on the npm package @validate-sdk/v2, which presents itself as a utility for hashing, validation, encoding, decoding and random generation. Its actual function is to harvest secrets from infected developer environments, including files linked to crypto wallets, API keys and project credentials.
The package was introduced into an autonomous crypto trading agent through a February 28 commit co-authored by Anthropic’s Claude Opus large language model. The commit added @solana-launchpad/sdk as a dependency to openpaw-graveyard, a package designed to create a social on-chain identity on the Solana blockchain, trade cryptocurrency through Bankr and interact with other agents. That first-layer dependency then pulled in @validate-sdk/v2, placing the real payload one step deeper in the supply chain.
The case marks a significant shift in open-source risk. Attackers no longer need only to deceive human developers browsing package registries; they can also shape package names, documentation and functionality to make malicious libraries appear useful to AI coding agents. The strategy turns the growing reliance on AI-generated code into a supply-chain attack surface, particularly in fast-moving Web3 projects where developers often integrate new libraries at speed.
PromptMink has been linked to Famous Chollima, also tracked as Shifty Corsair, a North Korean-linked threat group associated with fraudulent technology worker schemes and developer-focused malware campaigns. The group has repeatedly targeted cryptocurrency developers, open-source maintainers and blockchain projects, using fake companies, job interviews and coding assessments to deliver malicious npm and Python packages.
The campaign has operated for more than seven months and spans more than 60 malicious packages across more than 300 published versions. The first identified package in the chain, @hash-validator/v2, appeared in September 2025. When detected and removed, attackers replaced it with @validate-sdk/v2 on the same day, preserving the earlier code and continuing the campaign through fresh package names.
The architecture is deliberately layered. First-layer packages such as @solana-launchpad/sdk, @meme-sdk/trade, @validate-ethereum-address/core, @solmasterv3/solana-metadata-sdk, @pumpfun-ipfs/sdk and @solana-ipfs/sdk appear to offer crypto-related functions and often list widely used dependencies. Hidden among those legitimate entries are second-layer packages containing the malicious code. This division allows attackers to preserve the apparent legitimacy of the bait package while rotating payload packages when detection occurs.
Early versions used obfuscated JavaScript to scan project directories for. env and. json files, compress the results and send them to attacker-controlled infrastructure. Later versions grew more sophisticated, using Node single executable applications, then Rust-based add-ons to reduce obvious indicators and broaden operating-system coverage. Linux payloads added the attacker’s public SSH key to authorised keys, creating a persistence mechanism. Later Rust versions extended SSH support to Windows and began compressing and stealing entire project directories, including source code.
The theft of full project folders broadens the damage beyond crypto wallet exposure. Access to private repositories, cloud keys, deployment tokens and environment files can enable further intrusions against companies, customers and downstream software users. In developer workstations and CI/CD systems, a single poisoned dependency can reach build secrets, package publishing tokens and production credentials.
The incident also underlines the limits of conventional dependency review. A package may contain harmless-looking surface code while importing harmful payloads through nested dependencies. Automated scanners that evaluate only direct dependencies or visible JavaScript may miss executable binaries, Rust add-ons or transitive packages fetched through trusted registries.
Security teams are being urged to review AI-generated commits with the same scrutiny applied to external pull requests. New dependencies should be verified against registry history, maintainer reputation, package age, download patterns, binary contents and network behaviour. Developers using AI coding assistants should treat package suggestions as untrusted until independently checked, especially when the code touches wallets, private keys, signing functions or deployment credentials.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
