New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs
هاد كّيرز من كوريا الشمالية ولاو كيخدمو بـ AI باش يزرعو malware فـ npm ويصيدو Web3 Developers
North Korean Hackers Use AI-Generated npm Malware and Multi-Layered Packages to Target Web3 Developers
TL;DR
North Korean state-linked threat actors are now leveraging AI tool "hallucinations" and multi-layered npm packages to infect developer environments. By using Claude Opus to co-author malicious commits and deploying Rust-based harvesters, the group known as Famous Chollima is bypassing traditional security scans. Moroccan developers working in the Web3 or AI agent space must audit their transitive dependencies and be cautious of AI-suggested code snippets.
As the Moroccan tech ecosystem expands, with more developers contributing to global Web3 and AI projects, the threat landscape is shifting. A sophisticated new campaign, codenamed PromptMink, has been identified by researchers at ReversingLabs. Attributed to the North Korean threat group Famous Chollima (also known as Shifty Corsair), this campaign represents a dangerous evolution in supply chain attacks.
The attackers are no longer just typosquatting; they are using Artificial Intelligence to "vibe-code" malware and trick even advanced LLMs like Anthropic’s Claude Opus into recommending malicious packages.
The Role of AI: When Claude Opus Co-Authors Malware
In a startling discovery, researchers found that on February 28, 2026, a code commit to an autonomous trading agent was co-authored by Claude Opus. This commit introduced a dependency on a package named @validate-sdk/v2.
While the package claimed to be a utility for hashing and encoding, it was actually a "vibe-coded" malware designed to plunder sensitive secrets. This incident highlights a critical uncertainty: it remains unclear if the LLM "hallucinated" the package name (suggesting a plausible-sounding but non-existent library that the hackers had preemptively registered) or if the threat actor directly manipulated the model's prompt.
Regardless, the result was a "tainted" commit that gave attackers access to users' cryptocurrency wallets and private funds.
The Phased Attack: Layered npm Packages
To evade detection, Famous Chollima uses a "Matryoshka Doll" or layered strategy. They do not put malicious code in the primary package a developer might search for. Instead, they use three layers:
- The Bait (Benign Layer): Packages like
@solana-launchpad/sdkor@meme-sdk/trade. These look legitimate, function as described, and pass most basic security audits. - The Dependent Layer: These benign packages import a second layer of dependencies.
- The Malicious Layer: This is where packages like
@validate-sdk/v2reside. They contain the specialized code used to scan the developer's system for.envfiles, SSH keys, and cryptocurrency credentials.
By splitting the malware, the attackers ensure that if one "malicious" package is flagged and removed from the npm registry, they can quickly swap it for a new one without needing to re-engineer the entire top-level SDK.
Technical Evolution: From JavaScript to Rust
The PromptMink campaign has shown significant technical maturation between September 2025 and April 2026.
- September 2025: Early versions were simple, obfuscated JavaScript stealers that scanned directories and exfiltrated data to Vercel-hosted URLs (specifically
ipfs-url-validator.vercel.app). - February 2026: The attackers briefly experimented with Node.js Single Executable Applications (SEA). However, this caused the payload size to balloon from 5.1KB to 85MB, making it easier for network monitoring tools to spot.
- March - April 2026: To solve the size issue and increase cross-platform compatibility, the hackers shifted to NAPI-RS. By using Rust, they created pre-compiled Node.js add-ons.
This move to Rust allows the malware to function as a multi-platform harvester, targeting Windows, Linux, and macOS systems with high performance and low visibility.
Beyond npm: PyPI and Fake Jobs
Moroccan Python developers are not exempt. In February 2026, the group pushed a malicious package named scraper-npm to the PyPI (Python Package Index) with the same harvesting functionality.
Furthermore, the group continues to use their "Contagious Interview" and "graphalgo" tactics. They set up fake firms and pose as recruiters, asking developers to complete "technical assessments" or "coding tests." These tests often require the developer to clone a repository from Bitbucket or VS Code extensions that contain the PromptMink malware.
Recommendations for Moroccan Practitioners
To protect your local environment and your organization's infrastructure, consider the following mitigations:
- Audit Transitive Dependencies: Don't just check the packages you install; check what those packages are installing. Tools like
npm auditare a start, but manual review of the dependency tree is necessary for high-stakes Web3 projects. - Review AI-Generated Code: Treat suggestions from Claude, ChatGPT, or GitHub Copilot as unverified third-party code. Never allow an AI to add a dependency to your
package.jsonwithout verifying the package's origin and download history. - Network Monitoring: Block known malicious C2 (Command & Control) infrastructure. Specifically, monitor for traffic to
ipfs-url-validator.vercel.app. - SSH Hygiene: Monitor for unauthorized SSH persistent access. Famous Chollima frequently drops SSH backdoors to maintain access even after a malicious package is removed.
Conclusion
The PromptMink campaign proves that North Korean threat actors are successfully exploiting the trust developers place in AI assistants and the open-source ecosystem. For the Moroccan tech community, staying secure means moving beyond "install and forget" and adopting a "trust but verify" mindset for every line of code—whether written by a human or an LLM.
Source: New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs
