PromptMink Tricked AI Agents into Planting Malware

Researchers at ReversingLabs (RL) have uncovered a campaign dubbed PromptMink. Attributed to the North Korean-linked group Famous Chollima, this threat isn’t just targeting human developers—it is specifically engineered to deceive AI coding agents.

The campaign centers around the @validate-sdk/v2 npm package, which poses as a routine data validation tool but is actually a specialized infostealer designed to drain crypto wallets and siphon sensitive secrets.

What makes PromptMink unique is the “vibe-coding” approach used by the attackers. RL researchers found that the malicious packages were created with the help of generative AI, even discovering leftover LLM responses in file comments.

The success of these packages lies in their ability to manipulate the logic of AI assistants like Claude Opus, which was found to have co-authored a commit that added a malicious dependency to a crypto trading project on February 27, 2026.

As the report explains, “Famous Chollima’s signature is the heavy use of LLMs to generate malicious packages that have been more successful in tricking LLM coding agents than humans to use them.”

The attackers employed a sophisticated, multi-layered strategy to keep their campaign alive. They separated the “lure” (first-layer packages that look legitimate) from the “payload” (second-layer malicious packages). This allowed them to simply swap out detected malicious dependencies with new, undetected ones while keeping their primary “bait” packages in the marketplace.

The payloads themselves evolved rapidly in what researchers called a “butterfly-like transformation”:

• Phase 1: Obfuscated JavaScript payloads.
• Phase 2: Dropping SSH keys onto victim machines to grant remote access.
• Phase 3: Hiding malware inside Single Executable Applications (SEA) to evade detection, causing file sizes to skyrocket from 5.1KB to 85MB.
• Phase 4: Pivoting to Rust payloads to exfiltrate entire source code projects and intellectual property.

This new frontier in cybersecurity shifts the technique from traditional social engineering to a combination of Knowledge Injection and LLM Optimization (LLMO) abuse. Attackers now “inject” malicious packages into an AI’s knowledge base by creating documentation that makes the package look like the perfect fit for a specific coding task.

To combat this, RL emphasizes the need for “detailed static analysis of all dependencies”. By integrating threat intelligence directly into the AI’s environment—using tools like the Spectra Assure Community MCP Server—AI agents can be trained to recognize and reject these malicious components.