{"id":757,"date":"2026-04-29T15:53:01","date_gmt":"2026-04-29T15:53:01","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=757"},"modified":"2026-04-29T15:53:01","modified_gmt":"2026-04-29T15:53:01","slug":"new-wave-of-dprk-attacks-uses-ai-inserted-npm-malware-fake-firms-and-rats","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=757","title":{"rendered":"New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs"},"content":{"rendered":"<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgoAi4Ild7Dz2KtvraUPjGBgNHYScbOo2DzPh9iUn8IirHe8VYws7uF0A4wf2803kNMgLzCWg0oOZwXcdzRUx5-sbBPiABEN05-RtXTa2vMqOSa52E4FPELQba8QcIQBPXl6hOHuyN7cHldbTMMvxnA4UhxDk1Huh2W85I0EJeWdscqF5NdwRLjbtOXn7Zj\/s1700-e365\/korean-hackers.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic&#8217;s Claude Opus large language model (LLM).<\/p>\n<p>The package in question is \u00ab<a href=\"https:\/\/www.npmjs.com\/package\/@validate-sdk\/v2\">@validate-sdk\/v2<\/a>,\u00bb which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding\/decoding, and secure random generation. However, its real functionality is to plunder sensitive secrets from the compromised environment. The package, which shows signs of being vibe-coded using generative artificial intelligence (AI), was first uploaded to the repository in October 2025.<\/p>\n<p>The malware campaign has been codenamed <strong>PromptMink<\/strong> by ReversingLabs, which linked the activity as part of a broader campaign mounted by the North Korean threat actor known as <strong>Famous Chollima<\/strong> (aka Shifty Corsair), which is behind the long-running Contagious Interview campaign and the fraudulent IT Worker scam.<\/p>\n<p>\u00abThe new malware campaign [&#8230;] involves a tainted package that was introduced in a Feb. 28 commit to an autonomous trading agent,\u00bb ReversingLabs researcher Vladimir Pezo <a href=\"https:\/\/www.reversinglabs.com\/blog\/claude-promptmink-malware-crypto\">said<\/a> in a report shared with The Hacker News. \u00abThe <a href=\"https:\/\/github.com\/ExpertVagabond\/openpaw-graveyard\/commit\/cd3c6ccbfe02a0fcf249fdcf67fd3ec351a7ed7c\">commit was co-authored<\/a> by Anthropic&#8217;s Claude Opus large language model (LLM). It allows attackers to access users&#8217; crypto wallets and funds.\u00bb<\/p>\n<p>The package is listed as a dependency for an another npm package named \u00ab<a href=\"https:\/\/www.npmjs.com\/package\/@solana-launchpad\/sdk\">@solana-launchpad\/sdk<\/a>,\u00bb which, in turn, is used by a third package called \u00ab<a href=\"https:\/\/www.npmjs.com\/package\/openpaw-graveyard\">openpaw-graveyard<\/a>,\u00bb which is described as an \u00abautonomous AI agent\u00bb that creates a social on-chain identity on the Solana blockchain using the <a href=\"https:\/\/www.usetapestry.dev\/\">Tapestry Protocol<\/a>, trades cryptocurrency via <a href=\"https:\/\/bankr.bot\/\">Bankr<\/a>, as well as interacts with other agents on <a href=\"https:\/\/moltbook.com\/\">Moltbook<\/a>.<\/p>\n<p>ReversingLabs said the AI agent-generated packages were added as a dependency in a commit made in February 2026, causing the agent package to execute malicious code and give attackers access via leaked credentials to the victim&#8217;s cryptocurrency wallets and funds.<\/p>\n<p>The attack adopts a phased approach, where the first-layer packages do not contain any malicious code, but import second-layer packages that actually embed the nefarious functionality. Should the second cluster be detected or removed from npm, they are swiftly replaced.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ai-security-guide-d-1\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjRxP56rpa2W0O_0yc0xgs5l2r4FRV4Wiuq3IqWuFdsd_4g1c3oRVXoHtW9gxo8ObuxmyjqkAf3cD6N1JbVDos7QX99ZHtmeVrg-FUzSnMZLTl1ZFyiSkpqQiw6BcHXz52jr3s42xWEDFOpwWK6HgXOqscGMNkhA5pZK7h6zVV4dpDaLfgy17TidZXVrtUB\/s728-e100\/nudge-d-1.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Some of the first-layer packages identified are listed below &#8211;<\/p>\n<p><a name=\"more\"\/><\/p>\n<ul>\n<li>@solana-launchpad\/sdk<\/li>\n<li>@meme-sdk\/trade<\/li>\n<li>@validate-ethereum-address\/core<\/li>\n<li>@solmasterv3\/solana-metadata-sdk<\/li>\n<li>@pumpfun-ipfs\/sdk<\/li>\n<li>@solana-ipfs\/sdk<\/li>\n<\/ul>\n<p>\u00abThey implement some functionality related to cryptocurrencies,\u00bb ReversingLabs explained. \u00abAnd each package lists many dependencies, most of which are popular npm packages with download counts in the millions and billions, like axios, bn.js etc. However, a small number of the dependencies are malicious packages from the second layer.\u00bb<\/p>\n<p>The threat actors employ various techniques to help the rogue packages escape detection. These include creating a malicious version of the functions already present in the listed popular packages.Another technique uses typosquatting, where the names and descriptions mimic legitimate libraries.\u00a0<\/p>\n<p>The first package version published to npm as part of this campaign dates back to September 2025, when \u00ab@hash-validator\/v2\u00bb was uploaded to the registry. The decision to split the cryptocurrency stealer into two parts \u2013 a benign bait that downloads the actual malware \u2013 may have helped it evade detection and help conceal the true scale of the attack.<\/p>\n<p>It&#8217;s worth noting that some aspects of the activity were <a href=\"https:\/\/research.jfrog.com\/post\/new-crypto-stealer-npm\/\">documented<\/a> by JFrog two months later, highlighting the threat actor&#8217;s use of transitive dependencies to execute malicious code on developer systems and siphon valuable data.<\/p>\n<p>In the intervening months, the campaign has undergone various transformations, even targeting the Python Package Index (PyPI) by pushing a malicious package (\u00abscraper-npm\u00bb) with the same functionality in February 2026. As recently as last month, threat actors have been observed establishing persistent remote access via SSH and using Rust-compiled payloads to exfiltrate entire projects containing source code and other intellectual property from compromised systems.<\/p>\n<p>Early versions of the malware were obfuscated JavaScript-based stealers that scan the current working directory recursively for .env or .json files and stage for exfiltration to a Vercel URL (\u00abipfs-url-validator.vercel.app\u00bb), a platform repeatedlyabused by Famous Chollima in its campaigns.<\/p>\n<p>While subsequent iterations came embedded with PromptMink in the form of a Node.js single executable application (SEA), it also suffered from a notable disadvantage in that it caused the payload size to grow from a mere 5.1KB to around 85MB.This is said to have caused the threat actors to shift to using <a href=\"https:\/\/napi.rs\/\">NAPI-RS<\/a> to create pre-compiled Node.js add-ons in Rust.<\/p>\n<p>The evolution of the malware from a simple infostealer to a specialized multi-platform harvester targeting Windows, Linux, and macOS capable of dropping SSH backdoors and gathering entire projects demonstrates North Korean threat actors&#8217; continued targeting of the open-source ecosystem to target developers in the Web3 space.<\/p>\n<p>Famous Chollima is \u00ableveraging AI-generated code and a layered package strategy to evade detection and more effectively deceive automated coding assistants than human developers,\u00bb ReversingLabs added.<\/p>\n<h3>Contagious Trader Emerges<\/h3>\n<p>The findings coincide with the discovery of a malicious npm package named \u00abexpress-session-js\u00bb that&#8217;s believed to be linked to the Contagious Interview campaign, with the library acting as a conduit for a dropper that fetches a second-stage obfuscated payload from JSON Keeper, a paste service.<\/p>\n<p>\u00abStatic deobfuscation of the stage-2 payload reveals a full Remote Access Trojan (RAT) and information stealer that connects to 216[.]126[.]237[.]71 via Socket.IO, with capabilities including browser credential theft, crypto wallet extraction, screenshot capture, clipboard monitoring, keylogging, and remote mouse\/keyboard control,\u00bb SafeDep <a href=\"https:\/\/safedep.io\/malicious-npm-package-express-session-js\/\">noted<\/a> this month.<\/p>\n<p>Interestingly, the use of legitimate packages like \u00absocket.io-client\u00bb for command-and-control (C2) communication, \u00abscreenshot-desktop\u00bb for screen capture, \u00absharp\u00bb for image compression, and \u00abclipboardy\u00bb for clipboard access overlaps with that of OtterCookie, a known stealer malware attributed to the campaign.<\/p>\n<p>What&#8217;s novel this time around is the addition of the \u00ab@nut-tree-fork\/nut-js\u00bb package for mouse and keyboard control, suggesting broader attempts to upgrade the RAT capabilities to facilitate interactive control of infected hosts.<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjRjUFgbCaNbUIuMju-zOJxtlvn5SiiE2p6PCCFzacR7KSYNpgOYwePm8eCzIMMkNk4I9YsGf3ONdi2v8xVQ5fzj0PZ_186bF68mtd5WPC1-o-4zvvQhFwW6ZdRwp4hsAq6zLz5uutUK0trsbtS6h2HlwFXkjYdX5dJ5VVVBfZ_gvq9oIqLp9WBLf4MnTdX\/s1700-e365\/otter.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjRjUFgbCaNbUIuMju-zOJxtlvn5SiiE2p6PCCFzacR7KSYNpgOYwePm8eCzIMMkNk4I9YsGf3ONdi2v8xVQ5fzj0PZ_186bF68mtd5WPC1-o-4zvvQhFwW6ZdRwp4hsAq6zLz5uutUK0trsbtS6h2HlwFXkjYdX5dJ5VVVBfZ_gvq9oIqLp9WBLf4MnTdX\/s1700-e365\/otter.png\" alt=\"\" border=\"0\" data-original-height=\"406\" data-original-width=\"720\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">OtterCookie deployment chain<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>OtterCookie, for its part, has witnessed a maturation of its own, getting distributed via a <a href=\"https:\/\/blackpointcyber.com\/blog\/malicious-node-package-deploys-ottercookie\/\">trojanized open-source 3D chess project<\/a> hosted on Bitbucket and <a href=\"https:\/\/cyberandramen.net\/2026\/04\/04\/ottercookie-expands-targeting-to-ai-coding-tools-analysis-of-a-trojanized-npm-campaign\/\">malicious npm packages<\/a>like \u00abgemini-ai-checker,\u00bb \u00abexpress-flowlimit,\u00bb and \u00abchai-extensions-extras.\u00bb<\/p>\n<p>A third method has employed a Matryoshka Doll approach as <a href=\"https:\/\/medium.com\/walmartglobaltech\/mapping-ottercookie-infrastructure-1c49f0cd3883\">part<\/a> of a <a href=\"https:\/\/panther.com\/blog\/tracking-an-ottercookie-infostealer-campaign-across-npm\">campaign<\/a> dubbed <a href=\"https:\/\/kmsec.uk\/blog\/contagious-trader\/\">Contagious Trader<\/a>. The attack begins with the <a href=\"https:\/\/safedep.io\/malicious-sjs-biginteger-npm-ssh-theft\/\">download<\/a> of a benign wrapper package (e.g., \u00abbjs-biginteger\u00bb), which then proceeds to download a malicious dependency (e.g., \u00abbjs-lint-builder\u00bb) and ultimately install the stealer.<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg-qU__2vBJbMuiT4E6oVyrYo3WCripWYO2eXw0AyLMKJlSlucWoGGv5p8uE5l1S_u0g2NJBVg_btWzpgNT1YQKk-EnMFdt4EN3YjuYdDxwpjsiv1yN5vhXyULIQnD8vmS_of89JLZlJ3WoqMBXVlbzRhyphenhypheniH5aLbQyCVbXGN-854Ausqjwl0ytRXpk3JXnv\/s1700-e365\/gra.jpg\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg-qU__2vBJbMuiT4E6oVyrYo3WCripWYO2eXw0AyLMKJlSlucWoGGv5p8uE5l1S_u0g2NJBVg_btWzpgNT1YQKk-EnMFdt4EN3YjuYdDxwpjsiv1yN5vhXyULIQnD8vmS_of89JLZlJ3WoqMBXVlbzRhyphenhypheniH5aLbQyCVbXGN-854Ausqjwl0ytRXpk3JXnv\/s1700-e365\/gra.jpg\" alt=\"\" border=\"0\" data-original-height=\"700\" data-original-width=\"900\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Overlaps between Contagious Interview, Contagious Trader, and graphalgo<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u00abThe recent campaigns orchestrated by Shifty Corsair demonstrate the escalating threat of DPRK state-aligned cyber operations,\u00bb BlueVoyant researcher Curt Buchanan <a href=\"https:\/\/www.bluevoyant.com\/blog\/ottercookie-shifty-corsair-bifurcated-attack-strategy\">said<\/a>. \u00abTheir rapid evolution, from static Obfuscator.io encoding to dynamically rotating custom obfuscation, and their abuse of Vercel-hosted C2 infrastructure, demonstrates a maturation in their operational capabilities.\u00bb<\/p>\n<h3>Graphalgo Uses Fake Companies to Drop RAT<\/h3>\n<p>The development is significant as the threat actor has been simultaneously linked to another ongoing campaign dubbed <strong>graphalgo<\/strong> that lures developers using fake companies and leverages fake job interviews and coding tests to deliver malicious npm packages to their systems.<\/p>\n<p>The campaign plays out like this: the hackers employ social engineering ploys on job-seeking platforms and social networks to trick prospective targets into downloading GitHub-hosted projects as part of an assessment. These projects, in turn, contain a dependency to a malicious package published on npm or PyPI, whose main goal is to deploy a remote access trojan (RAT) on the machine.<\/p>\n<p>To pull off the attack, the operators set up a network of fake companies, complete with convincing profiles on platforms like GitHub, LinkedIn, and X to give them a veneer of legitimacy and make the deception more convincing. In the case of Blocmerce, the attackers even went to the extent of actually <a href=\"https:\/\/search.sunbiz.org\/Inquiry\/CorporationSearch\/ConvertTiffToPDF?storagePath=COR%5C2025%5C0827%5C20847332.tif&amp;documentNumber=L25000392646\">registering<\/a> a limited liability corporation (LLC) in the U.S. state of Florida under the same name in August 2025. The names of some of the companies used for frontend phishing are as follows &#8211;<\/p>\n<ul>\n<li>Veltrix Capital<\/li>\n<li>Blockmerce<\/li>\n<li>Bridgers Finance<\/li>\n<\/ul>\n<p>\u00abThese organizations link to several GitHub organizations related to blockchain companies that have been active on GitHub since June 2025,\u00bb ReversingLabs security researcher Karlo Zanki <a href=\"https:\/\/www.reversinglabs.com\/blog\/graphalgo-campaign-respawned\">said<\/a>. \u00abTheir purpose is to provide trustworthiness to fake job offerings and to host fake job interview tasks.\u00bb<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Recent versions of the campaign have also been spotted using a different technique for hosting the malicious dependencies. Instead of publishing them to npm or PyPI, they are hosted as a release artifact in GitHub repositories, likely in an effort to minimize the risk of detection.<\/p>\n<p>\u00abThe reference to the malicious dependency is buried deep inside the list of the transitive dependencies. The resolved field in the package-lock.json file instructs the package manager where to fetch specific package dependencies from,\u00bb ReversingLabs noted. \u00abWhile all other dependencies are fetched from the official npm registry, the malicious one is fetched directly from a release artifact located in a crafted GitHub repository.\u00bb<\/p>\n<p>The list of npm packages is below &#8211;<\/p>\n<ul>\n<li>graph-dynamic<\/li>\n<li>graphbase-js<\/li>\n<li>graphlib-js<\/li>\n<\/ul>\n<p>The attack culminates with the deployment of a RAT that can gather system information, enumerate files and directories, list running processes, create folders, rename files, delete files, and upload\/download files.<\/p>\n<p>In recent weeks, a North Korean state-sponsored threat cluster tracked as UNC1069 has also been linked to the compromise of \u00abaxios,\u00bb one of the most popular npm packages, highlighting the continued threat faced by open-source repositories from Pyongyang.<\/p>\n<p>Since then, the attackers behind the breach have <a href=\"https:\/\/x.com\/CharlieEriksen\/status\/2042623824902943167\">published<\/a> a new npm package called \u00abcsec-crypto-utils\u00bb containing an \u00abupdated payload\u00bb that substitutes the RAT dropper for a data stealer that exfoliates AWS keys, GitHub tokens, and .npmrc configuration files to an external server (\u00abcsec-c2-server.onrender[.]com\u00bb).<\/p>\n<p>In its report detailing the supply chain compromise, Hunt.io <a href=\"https:\/\/hunt.io\/blog\/justjoin-landing-page-linked-to-suspected-dprk-activity-resurfaces\">tied the attack<\/a> to a Lazarus Group sub-cluster known as BlueNoroff, citing infrastructure overlaps and the RAT&#8217;s similarities with NukeSped.<\/p>\n<p>\u00abThe threat actors&#8217; use of advanced techniques and tactics, as well as an astonishing level of campaign preparation (setting up a Florida LLC) and their ability to adapt, makes North Korean threat actors a top threat to organizations or individual developers focused on cryptocurrency,\u00bb ReversingLabs said.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic&#8217;s Claude Opus large language model (LLM). The package&hellip;<\/p>\n","protected":false},"author":1,"featured_media":758,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1470,24,745,150,107,42,39,1037,386],"class_list":["post-757","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-aiinserted","tag-attacks","tag-dprk","tag-fake","tag-firms","tag-malware","tag-npm","tag-rats","tag-wave"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/757","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=757"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/757\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/758"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=757"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=757"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=757"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}