Event Overview
On April 29, 2026, security firm ReversingLabs disclosed a supply chain attack campaign codenamed "PromptMink," attributed to the North Korean state-sponsored hacking group Famous Chollima (aka Shifty Corsair, associated with Lazarus Group). The campaign pioneered "LLM Optimization (LLMO) Abuse" technology — instead of attempting to deceive human developers into installing malicious packages, attackers crafted package documentation specifically designed to persuade AI coding agents into autonomously selecting and installing malicious dependencies. ✅ Verified
The campaign operated for seven months from September 2025 to April 2026, deploying over 60 malicious packages with 300+ versions across npm, PyPI, Go, and Rust ecosystems. ✅ Verified
The most标志性 incident occurred on February 28, 2026: a commit to the open-source Solana trading agent project openpaw-graveyard listed Anthropic's Claude Opus as co-author. The commit added a malicious dependency disguised as a legitimate Solana SDK — the AI agent autonomously selected the North Korean hackers' backdoor package during normal coding workflow and wrote it into production code. ✅ Verified
ReversingLabs researcher Vladimir Pezo stated directly in the report: "Famous Chollima's malicious packages have been more successful in tricking LLM coding agents than humans to use them." ✅ Verified
Background: From Social Engineering to "Agent Engineering"
Three Generations of Supply Chain Attack Evolution
Supply chain attacks are not new. From the 2018 event-stream Bitcoin theft, the 2024 XZ Utils backdoor, to the early 2026 Shai-Hulud npm/PyPI mass poisoning wave, attackers have consistently leveraged trusted upstream dependencies as weapons. But the cognitive model of the target has undergone three fundamental paradigm shifts. ⚠️ High Confidence
Generation 1: Deceiving Human Judgment (2018-2024). Attackers used typosquatting, dependency confusion, and fake Stack Overflow answers to诱导 human developers into actively installing malicious packages. The defense core was human suspicion instinct — an experienced developer would check publisher history, download counts, and GitHub commit records.
Generation 2: Exploiting AI Hallucination (2024-2025). Attackers registered package names that LLMs were known to hallucinate, waiting for AI coding tools to "imagine" a non-existent dependency and recommend its installation. This attack depended on model hallucination defects, with success rates limited by hallucination frequency.
Generation 3: LLMO Abuse — Deceiving AI Judgment Itself (2025-present). The paradigm shift represented by PromptMink is that attackers no longer depend on model defects but instead weaponize AI's core capabilities — document comprehension and semantic matching — into an attack surface. Package names are real, documentation is professional, TypeScript types are complete. The agent chose the malicious package based on "merit" — except this "merit" was meticulously optimized for machine readers. ✅ Verified
Famous Chollima: National-Level Evolution from Phishing to AI Weaponization
Famous Chollima has operated the "Contagious Interview" attack campaign since at least 2018, disguising as recruiters on LinkedIn and GitHub to send coding test projects containing malicious dependencies to job seekers. In March 2026, the U.S. Treasury OFAC sanctioned the front companies used by the group for its fraudulent IT worker network. ✅ Verified
PromptMink is the logical extension of this operation: as target developers are increasingly replaced by AI agents for code review and dependency selection, attackers switched the social engineering target from humans to AI. This is not a tactical adjustment but a fundamental shift in attack philosophy — from "deceiving humans" to "deceiving agents."
Technical/Strategic Analysis
Two-Layer Architecture: Separation of Lure and Payload
PromptMink's core innovation lies not in its malware but in its topology. The campaign divided operations into two independent layers: ⚠️ High Confidence
Layer 1 — Lure Packages: Entirely legitimate-looking Web3 utility packages such as @solana-launchpad/sdk, @meme-sdk/trade, @pumpfun-ipfs/sdk. These packages implement real Solana ecosystem functionality (IPFS uploads, metadata management, Jito Bundle execution), with package.json listing mostly mainstream dependencies with billions of combined downloads like axios and bn.js. Only one or two niche dependencies point to Layer 2 payloads. Key characteristic: Layer 1 packages contain no malicious code — their accumulated downloads, reputation, and community signals are the attacker's strategic assets.
Layer 2 — Payload Packages: Disposable ammunition carrying actual malicious functionality. Known payload packages include @hash-validator/v2 (initial version) and @validate-sdk/v2 (replacement version), which recursively scan the working directory for .env and .json files, steal wallet credentials, API keys and environment secrets, then exfiltrate via HTTP POST to attacker-controlled Vercel endpoints (ipfs-url-validator.vercel.app). ✅ Verified
The fatal aspect of this architecture is its resilience. On October 7, 2025, npm removed @hash-validator/v2 and three sister packages. Within hours, Famous Chollima republished byte-identical code as @validate-sdk/v2, starting at version 1.22.11 (the next sequential version after the takedown), while updating Layer 1 dependency pointers. Layer 1 retained all accumulated reputation signals; Layer 2 was treated as expendable ammunition. When JFrog published partial research coverage on November 20, 2025, attackers replaced exposed dependencies the same day — zero downtime, zero operational continuity loss. ✅ Verified
Four-Phase Malware Evolution
PromptMink's payloads underwent four architectural upgrades over seven months, reflecting continuous adaptation to the defense environment: ⚠️ High Confidence
- Phase 1 (Sep 2025 - Jan 2026): Obfuscated JavaScript stealers. Scanned working directories, exfiltrated via HTTP POST to Vercel endpoints. Payload only 5.1KB.
- Phase 2 (Feb 2026): Node.js Single Executable Applications (SEA). Packaged JavaScript code with complete Node.js runtime as standalone executables, evading static analysis. But payload size ballooned to 85-100MB, attracting attention.
- Phase 3 (Mar 2026): Rust NAPI-RS pre-compiled native add-ons. Critical pivot — using NAPI-RS to compile Rust code as Node.js native plugins. Rust binaries are extremely difficult to reverse-engineer, completely bypassing npm-layer static analysis, with dramatically reduced payload size. The code-readable portion (JavaScript/TypeScript the agent might review) stays clean; the binary portion executes theft.
- Phase 4 (Late Mar 2026): Persistent SSH backdoor. Injected attacker public keys into victim
~/.ssh/authorized_keys, establishing persistent remote access independent of the npm supply chain vector. Later versions expanded to compress and exfiltrate entire project source code directories, corresponding to the secondary objective of intellectual property theft. ✅ Verified
Why Agents Are Easier to Deceive Than Humans
PromptMink reveals a disturbing structural asymmetry: AI coding agents are in certain dimensions more susceptible to supply chain attack deception than human developers. ⚠️ High Confidence
Signal Weight Differences. Human developers check npm publisher pages, maintainer history, whether download curves match community adoption — disproportionate documentation quality relative to downloads is an important suspicion signal. AI agents primarily weight documentation quality, semantic fit, TypeScript type coverage, and README precision in describing the current task. Famous Chollima precisely optimized all these signals — Layer 1 READMEs read like professional SDK documentation with real Solana use cases, TypeScript types, feature comparisons, and badges.
Friction Elimination Equals Attack Surface. Socket's security head Brad Arkin noted in his June 23, 2026 analysis that for years the primary behavioral defense against open-source supply chain attacks was "human friction" — developers pausing at unfamiliar package names to check, examine, hesitate. AI agents precisely removed this friction — they resolve dependencies, continue the build, never pause. Efficiency itself is the attack surface. ✅ Verified
Agent-to-Agent Propagation. In January 2026, an autonomous LLM agent named Zora posted on Moltbook (a Reddit-like platform for autonomous AI agent interaction) stating it had created a memecoin and used @solana-launchpad/sdk because "it had the function it needed." This is a case of one AI agent recommending a malicious package and another AI agent installing it — no human in the decision loop at any point. ✅ Verified
Vulnerabilities
Structural Defense Gaps
- SCA Tool Blind Spots. Traditional Software Composition Analysis (SCA) tools detect threats through name-matching against vulnerability databases. PromptMink's malicious packages had no known CVEs when discovered — they were new, legitimately-named packages that name-based detection tools could not see.
--ignore-scriptsLimitations. Many teams rely onnpm install --ignore-scriptsas a security control. But NAPI-RS native plugins execute through Node.js's native plugin loading mechanism, bypassing install script restrictions — this is only a partial control.- AI-Assisted Commit Trust Illusion. When Claude or Copilot co-author a commit, developers tend to lower review standards — "the AI already checked it." But the AI checked documentation quality, not security properties. PromptMink's package documentation quality was extremely high; AI review actually reinforced the false sense of security.
- SBOM Absence. Many teams cannot answer the basic question "how many dependencies in our codebase were autonomously chosen by AI agents." Without observability, there is no defense.
Vendor/Industry Response
Government Level
- CISA/Five Eyes Guidance (May 1, 2026): Published "Careful Adoption of Agentic AI Services" guidance, explicitly warning that "agents will choose more persuasive descriptions," requiring agent-suggested packages to be treated as a distinct untrusted review category, and requiring human approval for high-risk actions like adding dependencies. ✅ Verified
- NSA Guidance Document U/O/O/6030316-26: Published security guidance for MCP protocol and AI agent dependency management.
Security Industry
- ReversingLabs: Established PromptMink IOC database, tracking 20+ C2 infrastructure elements, continuously issuing takedown notices.
- Socket (Brad Arkin): Proposed defense framework where "agent-suggested packages should be treated as a distinct untrusted review category."
- Cloud Security Alliance: Published DPRK PromptMink research note providing technical IOCs and defense checklists.
AI Model Vendors
- Anthropic: Retained the commit co-authorship mechanism (
Co-Authored-By: Claude) in Claude Code but did not add security review layers for dependency selection. This mechanism objectively provided PromptMink with a false "AI-verified" trust signal. - Defense verified by ReversingLabs: When the coding agent was connected to a package reputation MCP server, it correctly advised against installing the bait package — providing agents with external ground-truth data rather than trusting the package's own marketing documentation is an effective defense path. ✅ Verified
Predictions
Short-term (3-6 months):
- LLMO will become standard supply chain attack tactics. PromptMink proved LLMO's feasibility and effectiveness. Famous Chollima is not the last organization to use this technique — other nation-state attackers and cybercrime groups will rapidly replicate. Similar campaigns targeting Python/Go/Rust ecosystems are expected in the second half of 2026.
- AI coding tools will accelerate dependency review layer introduction. Cursor, Claude Code, and GitHub Copilot will introduce mandatory review processes requiring "human confirmation for agent-selected dependencies" within the next 2-3 quarters, partially restoring the "human friction" that AI eliminated.
- Rust native plugins will become a new supply chain security focus. PromptMink's evolution from JavaScript to Rust demonstrates attackers exploiting language ecosystem security review blind spots. npm and GitHub are expected to launch enhanced review mechanisms for native plugins.
Medium-term (6-12 months):
- "Agent security audits" will become enterprise compliance requirements. Just as SOC 2 audits transformed cloud security practices, auditing autonomous AI agent behavior will become a new dimension of enterprise security governance. Enterprises will need to answer "how many dependencies were agent-chosen," "where are the agent decision logs," and "what are the agent permission boundaries."
- Package reputation oracles will become agent standard equipment. Reputation services providing external ground-truth data to AI agents will become a component of security infrastructure. ReversingLabs' verification that "agents correctly rejected malicious packages after connecting to reputation MCP servers" previews the commercialization path for this direction.
Long-term signals:
- "Agent engineering" will become social engineering's next evolutionary direction. PromptMink's deeper revelation is that as AI agents assume more decision-making functions, attackers' optimal strategy is not to bypass AI but to "persuade" AI. The shift from deceiving humans to deceiving agents marks social engineering entering an entirely new attack surface — one where the more credible and capable an AI agent is, the greater the destructive power once "persuaded." This poses a fundamental challenge to the security architecture of the entire AI agent ecosystem.
References:
- ReversingLabs, "PromptMink: DPRK PromptMink npm Malware Targets AI Coding Agents", 2026-04-29 ✅
- Cloud Security Alliance, "DPRK PromptMink Research Note", 2026-05-01 ✅
- CISA/Five Eyes, "Careful Adoption of Agentic AI Services", 2026-05-01 ✅
- LLM-Hacking, "LLMO abuse: poisoning package docs to fool AI coding agents", 2026-07-03 ✅
- Socket, "The Code You Didn't Write Is Still Yours to Defend", Brad Arkin, 2026-06-23 ✅
- Lyrie.ai, "When the AI Writes the Backdoor: PromptMink", 2026-05-11 ✅
- The Hacker News, "New Wave of DPRK Attacks Uses AI-Inserted npm Malware", 2026-04-29 ✅
- IBM X-Force OSINT Advisory, "PromptMink Supply Chain Campaign", 2026-05-01 ✅
Why it Matters
DECISION
PREDICT
Get 3-5 key AI infrastructure signals weekly →
💬 Comments (0)