What Happened
ReversingLabs researchers published a detailed analysis of PromptMink, a North Korean supply chain malware campaign attributed to Famous Chollima — also tracked as Sapphire Sleet and BlueNoroff — operating under the Contagious Interview and IT Worker fraud umbrella. The campaign exploits a novel delivery technique: a malicious npm dependency was introduced into an open-source crypto trading agent called openpaw-graveyard via a commit co-authored by Anthropic’s Claude Opus large language model.
The attack architecture uses two layers. The first-layer package appears legitimate and contains no malicious code. It silently pulls in a second package, @validate-sdk/v2, which presents itself as a standard data validation utility. That second package is the actual payload. It collects and exfiltrates .env and .json files, crypto wallet credentials, system information, and SSH keys to attacker-controlled servers. A later Rust-based variant extends the theft to entire project source trees. The attackers also install SSH keys on victim systems for persistent remote access on both Linux and Windows hosts.
ReversingLabs tracked more than 60 packages and 300-plus versions tied to the PromptMink campaign across npm and PyPI since late 2025. When individual packages are detected and removed, they are rapidly replaced with new names. The use of an AI-co-authored commit is a deliberate evasion tactic: commits with LLM co-authorship attribution carry an appearance of legitimacy and may bypass security reviews focused on malicious human code patterns, per The Hacker News.
Why This Matters for Canadian Organizations
Famous Chollima runs some of the most financially motivated cyber operations attributed to a nation-state actor, with a primary focus on cryptocurrency theft and developer credential harvesting. Canada’s growing crypto and fintech sector — including crypto exchanges, DeFi platforms, and blockchain development firms operating under FINTRAC registration requirements — is a direct target demographic for this threat group. Famous Chollima does not distinguish between large exchanges and small development shops: any organization with crypto wallet access, API keys to exchange accounts, or source code connected to financial infrastructure is a viable target.
Beyond the crypto sector, PromptMink’s .env and SSH key exfiltration targets the broader Canadian developer ecosystem. Government digital services teams, SaaS startups, university computer science departments, and enterprise DevOps teams all use npm and often store sensitive credentials in .env files or developer workstation SSH key directories. A single infected dependency in a widely used package can propagate silently across an organization’s development environment before detection. The fact that this campaign has been running since late 2025 with over 60 documented packages means many Canadian organizations may have already been exposed without knowing it.
The AI-assisted commit technique also raises a compliance consideration: Canadian organizations conducting code reviews as part of a secure development lifecycle should update their review criteria to flag AI-co-authored commits for additional scrutiny, particularly when they introduce new third-party dependencies. OSFI B-13 and federal government ITSM security requirements both emphasize third-party software risk; this campaign is a live example of why dependency review needs to go deeper than license compliance.
What to Do
Run a dependency audit across your npm and PyPI package trees using tools such as Socket, Snyk, or npm audit. Look specifically for packages introduced via indirect dependency chains — the second-layer delivery mechanism means a top-level dependency you trust may be pulling in a malicious child package. Search your dependency graphs for any packages with names matching the @validate-sdk or @solana-launchpad namespace patterns and investigate any package from those publishers immediately.
Review recent AI-co-authored commits in your repositories, particularly those introducing new dependencies or modifying package.json or requirements.txt files. Treat LLM-assisted commits introducing new third-party packages with the same scrutiny you would apply to any unreviewed external contribution. Rotate any credentials, API keys, or SSH keys stored in .env files or home directories on developer workstations that installed any suspect packages during the campaign window. Report suspicious packages to the npm security team at npm-security@npmjs.com and to the Canadian Centre for Cyber Security at cyber.gc.ca/report.
