Listen to this Post
Introduction
Artificial intelligence is rapidly changing the software development world. Developers now rely on AI tools to write code faster, solve bugs, and automate repetitive tasks. But as these systems become more powerful, cybercriminals are adapting just as quickly. A newly exposed supply chain attack shows how attackers manipulated an AI coding assistant into inserting malicious software into a live project.
The incident involved Anthropic’s Claude Opus model, which reportedly introduced a harmful dependency into an autonomous crypto trading project. What looked like a normal software package was actually malware designed to steal secrets, compromise wallets, and open remote access for attackers. This event highlights a growing cybersecurity risk: when AI writes code, it can also be tricked into writing danger.
How the PromptMink Attack Happened
Security researchers at ReversingLabs discovered the malware campaign and named it PromptMink. The threat was identified in a February 2026 commit to an open-source project known as openpaw-graveyard, described as an autonomous crypto trading agent.
Inside that project, a suspicious package called @validate-sdk/v2 was added. At first glance, it appeared to be a harmless validation library used for checking data. In reality, it was built to steal sensitive information from developers and users, especially crypto wallet credentials and access secrets.
This type of attack is especially dangerous because malicious dependencies often blend in with legitimate tools. Many developers install such packages without deep inspection, especially when recommended by AI systems.
A Smart Two-Layer Evasion Method
PromptMink used a layered structure to avoid detection.
The first layer involved clean-looking bait packages such as @solana-launchpad/sdk. These packages contained no harmful code themselves. Instead, they acted as wrappers that silently loaded a second hidden dependency.
That second dependency, such as @validate-sdk/v2, carried the real malware payload.
This design gave attackers an advantage. If security researchers flagged the malicious package and had it removed from repositories like npm, the clean bait package could simply be updated to point toward a different malicious package later. The public trust of the bait package remained intact.
This method makes detection harder because the visible package seems safe while danger sits one step deeper.
How PromptMink Evolved
Researchers noted that PromptMink did not stay static. It changed over time to become harder to detect.
It first appeared as a simple JavaScript information stealer. Later, it evolved into large Single Executable Applications, allowing attackers to package everything into standalone files. Eventually, the campaign shifted into compiled Rust payloads, a move often associated with stealth, speed, and more advanced malware engineering.
This progression shows a serious investment in the operation. Attackers were not experimenting casually. They were refining their tools for long-term use.
What the Malware Does After Infection
Once installed, PromptMink performs multiple harmful actions:
Searches folders for crypto-related configuration files
Steals wallet credentials and authentication secrets
Collects basic system information
Compresses and exfiltrates full source code directories
Adds attacker SSH keys on Linux and Windows systems
Creates persistent remote access for future compromise
For software teams building blockchain products, this can be catastrophic. A single infected machine may expose private keys, proprietary code, investor assets, and internal infrastructure.
Suspected North Korean Link
ReversingLabs attributed the campaign to Famous Chollima, a threat group linked to North Korea.
This group has a known history of targeting cryptocurrency developers, exchanges, and blockchain infrastructure. Crypto-focused attacks are often financially motivated, using stolen assets to generate revenue outside traditional sanctions systems.
The PromptMink campaign suggests these actors are now shifting from direct phishing and wallet theft into AI-assisted software supply chain compromise.
LLM Optimization Abuse: A New Threat Model
One of the most concerning parts of the report is the tactic called LLM Optimization (LLMO) abuse.
Instead of only writing malware, attackers also wrote convincing package descriptions and documentation. This content was likely optimized to appear trustworthy and relevant to large language models used in coding assistants.
In simple terms, the attackers were not just tricking humans anymore. They were tricking the AI itself.
If an AI assistant scans repositories and sees a well-documented package that appears useful, it may recommend it or automatically install it. That creates a dangerous feedback loop where fake trust signals are enough to compromise development environments.
Why This Matters for the Future of Coding
AI-generated code is becoming common across startups, enterprises, and open-source communities. Many teams already allow AI tools to suggest libraries, generate scripts, and automate commits.
But this case proves that speed without verification creates a new attack surface.
Traditional code review assumes a human intentionally selected dependencies. In AI-assisted development, software may pull external components automatically, sometimes faster than security teams can inspect them.
That changes the rules of software trust.
What Undercode Say:
This PromptMink incident may be remembered as one of the first clear warnings of the AI supply chain era. For years, dependency confusion and malicious npm packages targeted human negligence. Now attackers are aiming directly at machine reasoning.
That shift is significant. AI models do not “trust” the way humans do. They rank patterns, documentation quality, popularity signals, and contextual relevance. If criminals learn how to manipulate those signals, they can influence automated coding decisions at scale.
This means future malware campaigns may focus less on obvious malicious code and more on psychological engineering for algorithms. Well-written READMEs, professional branding, realistic GitHub activity, fake user reviews, and polished documentation may become weapons.
The crypto industry is a logical target because development speed is high, codebases are complex, and direct financial rewards are immediate. But the same tactic could hit SaaS firms, fintech apps, healthcare platforms, or enterprise internal tooling.
Security teams now need a new layer of defense: AI output validation. Every package suggested by an LLM should be treated as untrusted until verified. AI can improve productivity, but it cannot replace due diligence.
Organizations should also train developers not to blindly trust machine-generated commits. If AI inserts a dependency no one recognizes, that should trigger immediate review.
Another likely trend is the rise of “clean wrapper malware” where harmless front-end packages redirect to hidden payloads. This tactic is clever because reputation systems often inspect only surface behavior.
Expect security vendors to respond with smarter dependency graph scanning, real-time threat feeds for package ecosystems, and AI-aware CI/CD controls.
The biggest lesson is simple: attackers innovate wherever trust becomes automated.
Fact Checker Results
✅ ReversingLabs is a recognized cybersecurity research company known for software supply chain investigations.
✅ North Korean threat actors have a documented history of targeting cryptocurrency ecosystems.
✅ Malicious open-source packages remain one of the fastest-growing risks in modern development pipelines.
Prediction
🔮 AI coding assistants will soon include built-in package reputation scoring before suggesting dependencies.
🔮 Enterprises will require manual approval for any AI-generated commit that adds third-party libraries.
🔮 Supply chain attacks targeting LLM-driven workflows will increase sharply over the next two years.
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.github.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
