Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by **Anthropic**'s Claude Opus large language model (LLM). The package in question is "[@validate-sdk/v2](https://www.npmjs.com/package/@validate-sdk/v2)," which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. However, its real functionality is to plunder sensitive secrets from the compromised environment. The package, which shows signs of being vibe-coded using generative artificial intelligence (AI), was first uploaded to the repository in October 2025. ### PromptMink Campaign The malware campaign has been codenamed **PromptMink** by **ReversingLabs**, which linked the activity as part of a broader campaign mounted by the North Korean threat actor known as **Famous Chollima** (aka Shifty Corsair), which is behind the long-running [Contagious Interview](https://thehackernews.com/2026/04/n-korean-hackers-spread-1700-malicious.html) campaign and the [fraudulent IT Worker scam](https://thehackernews.com/2026/03/ofac-sanctions-dprk-it-worker-network.html). "The new malware campaign [...] involves a tainted package that was introduced in a Feb. 28 commit to an autonomous trading agent," **ReversingLabs** researcher Vladimir Pezo [said](https://www.reversinglabs.com/blog/claude-promptmink-malware-crypto) in a report shared with The Hacker News. "The [commit was co-authored](https://github.com/ExpertVagabond/openpaw-graveyard/commit/cd3c6ccbfe02a0fcf249fdcf67fd3ec351a7ed7c) by **Anthropic**'s Claude Opus large language model (LLM). It allows attackers to access users' crypto wallets and funds." The package is listed as a dependency for another npm package named "[@solana-launchpad/sdk](https://www.npmjs.com/package/@solana-launchpad/sdk)," which, in turn, is used by a third package called "[openpaw-graveyard](https://www.npmjs.com/package/openpaw-graveyard)," which is described as an "autonomous AI agent" that creates a social on-chain identity on the Solana blockchain using the [Tapestry Protocol](https://www.usetapestry.dev/), trades cryptocurrency via [Bankr](https://bankr.bot/), as well as interacts with other agents on [Moltbook](https://moltbook.com/). **ReversingLabs** said the AI agent-generated package was added as a dependency in a source code commit made in February 2026, causing the agent package to execute malicious code and give attackers access via leaked credentials to the victim's cryptocurrency wallets and funds. The attack adopts a phased approach, where the first-layer packages do not contain any malicious code, but import second-layer packages that actually embed the nefarious functionality. Should the second cluster be detected or removed from npm, they are swiftly replaced. Some of the first-layer packages identified are listed below: * @solana-launchpad/sdk * @meme-sdk/trade * @validate-ethereum-address/core * @solmasterv3/solana-metadata-sdk * @pumpfun-ipfs/sdk * @solana-ipfs/sdk "They implement some functionality related to cryptocurrencies," **ReversingLabs** explained. "And each package lists many dependencies, most of which are popular npm packages with download counts in the millions and billions, like axios, bn.js etc. However, a small number of the dependencies are malicious packages from the second layer." The threat actors employ various techniques to help the rogue packages escape detection. These include creating a malicious version of the functions already present in the listed popular packages. Another technique uses typosquatting, where the names and descriptions mimic legitimate libraries. The first package version published to npm as part of this campaign dates back to September 2025, when "@hash-validator/v2" was uploaded to the registry. The decision to split the cryptocurrency stealer into two parts – a benign bait that downloads the actual malware – may have helped it evade detection and help conceal the true scale of the attack. It's worth noting that some aspects of the activity were [documented](https://research.jfrog.com/post/new-crypto-stealer-npm/) by **JFrog** two months later, highlighting the threat actor's use of transitive dependencies to execute malicious code on developer systems and siphon valuable data. In the intervening months, the campaign has undergone various transformations, even targeting the Python Package Index (PyPI) by pushing a malicious package ("scraper-npm") with the same functionality in February 2026. As recently as last month, threat actors have been observed establishing persistent remote access via SSH and using Rust-compiled payloads to exfiltrate entire projects containing source code and other intellectual property from compromised systems. Early versions of the malware were obfuscated JavaScript-based stealers that scan the current working directory recursively for .env or .json files and stage for exfiltration to a **Vercel** URL ("ipfs-url-validator.vercel.app"), a platform [repeatedly](https://thehackernews.com/2026/02/fake-nextjs-repos-target-developers.html)&nbsp;[abused](https://thehackernews.com/2026/03/north-korean-hackers-abuse-vs-code-auto.html) by **Famous Chollima** in its campaigns. While subsequent iterations came embedded with **PromptMink** in the form of a Node.js single executable application (SEA), it also suffered from a notable disadvantage in that it caused the payload size to grow from a mere 5.1KB to around 85MB. This is said to have caused the threat actors to shift to using [NAPI-RS](https://napi.rs/) to create pre-compiled Node.js add-ons in Rust. The evolution of the malware from a simple infostealer to a specialized multi-platform harvester targeting Windows, Linux, and macOS capable of dropping SSH backdoors and gathering entire projects demonstrates North Korean threat actors' continued targeting of the open-source ecosystem to target developers in the Web3 space. **Famous Chollima** is "leveraging AI-generated code and a layered package strategy to evade detection and more effectively deceive automated coding assistants than human developers," **ReversingLabs** added. ### Contagious Trader Emerges The findings coincide with the discovery of a malicious npm package named "express-session-js" that's believed to be linked to the Contagious Interview campaign, with the library acting as a conduit for a dropper that fetches a second-stage obfuscated payload from **JSON Keeper**, a paste service. "Static deobfuscation of the stage-2 payload reveals a full Remote Access Trojan (RAT) and information stealer that connects to 216[.]126[.]237[.]71 via Socket.IO, with capabilities including browser credential theft, crypto wallet extraction, screenshot capture, clipboard monitoring, keylogging, and remote mouse/keyboard control," **SafeDep** [noted](https://safedep.io/malicious-npm-package-express-session-js/) this month. Interestingly, the use of legitimate packages like "socket.io-client" for command-and-control (C2) communication, "screenshot-desktop" for screen capture, "sharp" for image compression, and "clipboardy" for clipboard access overlaps with that of [OtterCookie](https://thehackernews.com/2025/05/ottercookie-v4-adds-vm-detection-and.html), a known stealer malware attributed to the campaign. What's novel this time around is the addition of the "@nut-tree-fork/nut-js" package for mouse and keyboard control, suggesting broader attempts to upgrade the RAT capabilities to facilitate interactive control of infected hosts. <table> <tbody><tr> <td><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRjUFgbCaNbUIuMju-zOJxtlvn5SiiE2p6PCCFzacR7KSYNpgOYwePm8eCzIMMkNk4I9YsGf3ONdi2v8xVQ5fzj0PZ_186bF68mtd5WPC1-o-4zvvQhFwW6ZdRwp4hsAq6zLz5uutUK0trsbtS6h2HlwFXkjYdX5dJ5VVVBfZ_gvq9oIqLp9WBLf4MnTdX/s1600/otter.png"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRjUFgbCaNbUIuMju-zOJxtlvn5SiiE2p6PCCFzacR7KSYNpgOYwePm8eCzIMMkNk4I9YsGf3ONdi2v8xVQ5fzj0PZ_186bF68mtd5WPC1-o-4zvvQhFwW6ZdRwp4hsAq6zLz5uutUK0trsbtS6h2HlwFXkjYdX5dJ5VVVBfZ_gvq9oIqLp9WBLf4MnTdX/s1600/otter.png" data-original-width="720" data-original-height="406" alt=""></a></td> </tr> <tr> <td>OtterCookie deployment chain</td> </tr> </tbody></table> **OtterCookie**, for its part, has witnessed a maturation of its own, getting distributed via a [trojanized open-source 3D chess project](https://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/) hosted on **Bitbucket** and [malicious npm packages](https://cyberandramen.net/2026/04/04/ottercookie-expands-targeting-to-ai-coding-tools-analysis-of-a-trojanized-npm-campaign/)&nbsp;like "gemini-ai-checker," "express-flowlimit," and "chai-extensions-extras." A third method has employed a Matryoshka Doll approach as [part](https://medium.com/walmartglobaltech/mapping-ottercookie-infrastructure-1c49f0cd3883) of a [Panther](https://panther.