A newly documented campaign, dubbed PromptMink, is targeting the open source ecosystem and Web3 developers through malicious npm packages, fake job interviews and compromised GitHub projects. The operation is attributed to the North Korean threat cluster Famous Chollima (also known as Shifty Corsair), previously linked to the Contagious Interview scheme and fraudulent “remote IT worker” operations.
Malicious npm package @validate-sdk/v2 and Solana Web3 developers
The centerpiece of the latest wave is a trojanized npm package, @validate-sdk/v2. Publicly, it presents itself as a small SDK for hashing, encoding and random number generation. In reality, its hidden payload is an information‑stealing module designed to collect secrets from the development environment and siphon access to cryptocurrency wallets.
Researchers note that parts of the code exhibit patterns typical of generative AI‑produced source, such as unusual stylistic inconsistencies and boilerplate fragments. Using AI-generated code allows the package to better mimic legitimate utility libraries and evade quick manual review by maintainers and developers.
The risk was amplified when @validate-sdk/v2 was pulled into the Solana blockchain ecosystem. Through the dependency @solana-launchpad/sdk, it reached the project openpaw-graveyard, an “autonomous AI agent” that builds on‑chain identities via Tapestry Protocol, trades crypto via Bankr and interacts with other agents in Moltbook. After a dependency update, the agent executed the malicious code, causing leakage of credentials and compromise of users’ crypto wallets and balances.
Layered dependency chains and evasive techniques in npm supply chain attacks
The PromptMink operation follows a multi‑layer dependency model. First‑level npm packages look benign: they implement standard cryptocurrency logic and depend on well‑known libraries with millions of downloads, such as axios and bn.js. Hidden among dozens of legitimate dependencies are a few second‑level packages where the actual malicious functionality resides.
Once a specific second‑level package is detected and removed from npm, operators quickly publish a slightly modified variant, complicating long‑term blocking. The campaign also heavily relies on typosquatting — publishing packages with names and descriptions that closely resemble popular libraries — and on function substitution, where “alternative” implementations of common methods secretly embed malicious logic.
From JavaScript stealer to Rust‑based cross‑platform modules
Early traces of the campaign date back to the appearance of the package @hash-validator/v2, which contained an obfuscated JavaScript infostealer. This component recursively scanned the working directory for .env and .json files, exfiltrating them to an attacker‑controlled domain hosted on Vercel, an infrastructure provider already seen in other Famous Chollima operations.
Subsequent iterations experimented with a Node.js Single Executable Application (SEA) model, bundling the payload into a single binary. However, the binary size increase from roughly 5.1 KB to about 85 MB made samples more conspicuous and easier to flag by defenders.
In response, the operators adopted NAPI‑RS and Rust to ship precompiled native modules. This approach yielded a more compact, cross‑platform infostealer (Windows, Linux, macOS) capable not only of harvesting credentials but also of installing SSH backdoors and exfiltrating entire source code repositories and intellectual property from victim systems.
Targeting developers via fake companies, interviews and GitHub artifacts
PromptMink is closely aligned with the broader Contagious Interview / Contagious Trader / graphalgo activity set, which focuses on developers, particularly in the Web3 and blockchain space. The primary victims are specialists actively seeking work.
Attackers create a network of fake companies with convincing profiles on GitHub, LinkedIn and X, and in some cases even register legal entities, such as the reported Blocmerce LLC in Florida. Prospective employees are offered a “technical assignment” and asked to download a GitHub project that allegedly forms part of the interview process.
Inside that project, the attackers hide a dependency on a malicious package from npm or PyPI, or on a tampered GitHub release artifact. The link is buried deep in the chain of transitive dependencies: the resolved field in package-lock.json points not to the official registry but to a specially crafted repository under attacker control. The final stage often involves deploying a Remote Access Trojan (RAT) capable of enumerating files and processes, collecting system information, uploading and downloading data, and remotely controlling the developer’s workstation.
OtterCookie, express-session-js and compromise of popular libraries
Parallel activity has been observed leveraging the npm package express-session-js to deliver a second‑stage payload: an obfuscated RAT and infostealer. This malware chain uses legitimate packages such as socket.io-client for command‑and‑control communications, screenshot-desktop and sharp for screen capture, and clipboardy for clipboard access — capabilities overlapping with the known stealer OtterCookie.
A new enhancement is the adoption of @nut-tree-fork/nut-js to remotely control mouse and keyboard input, allowing interactive manipulation of compromised systems in real time.
A related North Korean cluster, UNC1069, has also been linked to the compromise of the widely used axios package. After that incident, the operators released a new package, csec-crypto-utils, whose updated module acted as an infostealer rather than a RAT. It targeted AWS keys, GitHub tokens and .npmrc configurations, forwarding them to external servers. Infrastructure overlaps tie this activity to the BlueNoroff sub‑unit of the Lazarus Group, historically focused on cryptocurrency theft.
Taken together, these operations illustrate the growing maturity of North Korean state‑linked actors in open source software supply chain attacks. They are moving from static obfuscation toward agile, frequently changing techniques; abusing legitimate platforms such as Vercel, GitHub, npm and PyPI; and increasingly leveraging AI‑generated code to disguise malicious components.
For organizations and individual developers — especially those handling cryptocurrencies and Web3 applications — these campaigns underline the need to treat every external library as untrusted code. Practical defenses include rigorous vetting of new packages and maintainers, use of Software Composition Analysis (SCA) tools and dependency integrity monitoring, avoiding artifacts from unknown GitHub releases, isolating build and test environments, enforcing strict secret management and regular key rotation, and training developers to recognize fake job offers and suspicious “test tasks.” Strengthening these practices now significantly raises the cost for attackers seeking to exploit trust in open source as a shortcut to stealing funds and intellectual property.
