North Korea's AI-Powered npm Supply Chain Attacks: Inside the 2026 PromptMink Campaign
Photo by SAYAN MONDAL on Unsplash
- North Korean threat actors (Famous Chollima / UNC1069) planted malware inside an AI-assisted GitHub commit on February 28, 2026, co-authored by Anthropic's Claude Opus LLM — a first-of-its-kind tactic that weaponizes developer trust in AI coding tools.
- ReversingLabs tracked over 60 malicious npm packages and more than 300 package versions tied to the PromptMink campaign across seven months, demonstrating a highly scaled and sustained operation.
- STARDUST CHOLLIMA compromised the Axios npm package — with over 100 million downloads — in March 2026, deploying the WAVESHAPER.V2 backdoor via a fake company LLC and a fraudulent Microsoft Teams meeting.
- Between February 6 and April 7, 2026, DPRK-linked actors distributed 1,700+ malicious packages across npm, PyPI, Go, and Rust registries, with the Security Alliance (SEAL) blocking 164 associated impersonation domains.
What Happened
In early 2026, cybersecurity researchers at ReversingLabs uncovered one of the most sophisticated open-source supply chain attacks ever documented — a campaign they codenamed PromptMink. The operation is attributed to Famous Chollima (also known as Shifty Corsair or UNC1069), a North Korean state-sponsored threat actor with ties to the long-running Contagious Interview campaign and an elaborate fraudulent IT worker scheme. Over a seven-month tracking period, researchers identified more than 60 malicious npm packages and over 300 package versions tied to the campaign — clear evidence of an industrialized, continuously refined operation.
The campaign's most alarming innovation: attackers used an AI coding assistant to smuggle malware into a legitimate project. On February 28, 2026, a malicious npm (Node Package Manager — a public registry of reusable JavaScript code libraries) package called @validate-sdk/v2 was quietly inserted as a dependency into an autonomous Solana cryptocurrency trading agent via an AI-assisted commit. The commit was co-authored by Anthropic's Claude Opus large language model. According to ReversingLabs researcher Vladimir Pezo, this allowed attackers to "access users' crypto wallets and funds." The package had originally been uploaded to the npm registry in October 2025, giving it months to appear legitimate before active deployment.
A related DPRK operation carried out by STARDUST CHOLLIMA targeted the Axios JavaScript library in March 2026. Attackers impersonated a fake company via a fraudulent Microsoft Teams meeting to social-engineer (manipulate a trusted person into granting access) the package's maintainer. The compromised Axios versions 1.14.1 and 0.30.4 deployed a backdoor called WAVESHAPER.V2 across Windows, macOS, and Linux. Google's Threat Intelligence Group attributed this attack, describing WAVESHAPER.V2 as a fully functional RAT (Remote Access Trojan — malware that gives hackers remote control and surveillance capabilities over an infected device). At the time of compromise, Axios had more than 100 million downloads.
Why It Matters for Your Organization's Security
If your team writes code, uses open-source libraries, or builds software that depends on npm, PyPI, Go, or Rust packages, these attacks are a direct threat to your operations and your data protection responsibilities. The scale here is documented and ongoing.
Between February 6 and April 7, 2026 alone, DPRK-linked actors distributed more than 1,700 malicious packages across four major public registries. The Security Alliance (SEAL) identified and blocked 164 associated domains impersonating services your teams use every day — Microsoft Teams and Zoom. This is not a targeted strike against a single company. It is a wide-net operation designed to poison shared infrastructure at scale, making proactive threat intelligence essential rather than optional.
What makes PromptMink particularly dangerous is its deliberate exploitation of AI-assisted development workflows. ReversingLabs analysts noted that Famous Chollima is "leveraging AI-generated code and a layered package strategy to evade detection and more effectively deceive automated coding assistants than human developers." In plain terms: attackers are now engineering payloads specifically to fool the AI tools your team trusts, and by extension the developers who act on those tools' suggestions. This fundamentally changes the threat landscape for any organization embracing AI-accelerated development — and it raises the stakes for data protection at every stage of your software supply chain.
The Axios attack illustrates the devastating potential of supply chain compromises (attacks that target a widely shared software component rather than each victim individually). When STARDUST CHOLLIMA compromised Axios, they created a simultaneous foothold across millions of dependent projects worldwide. The PromptMink payload itself evolved dramatically — from a 5.1KB obfuscated JavaScript stealer to approximately 85MB after being repackaged as a Node.js SEA (Single Executable Application — a self-contained program that bundles all its dependencies). This evolution deliberately outruns signature-based detection tools that match known-bad file patterns.
The incident response (the process of detecting, containing, and recovering from a security breach) challenge this creates is significant for smaller IT teams. Without a practiced playbook, the gap between detection and containment grows dangerously wide — and so does your regulatory exposure. Data protection obligations under frameworks like GDPR and CCPA require breach notification within strict timeframes, making rapid impact analysis a legal necessity, not just a technical best practice.
Finally, consider the human element. STARDUST CHOLLIMA did not brute-force its way into Axios. It built a fake LLC, booked a Teams meeting, and manipulated a real developer into cooperating. Security awareness training specific to supply chain social engineering — not generic phishing simulations — is now a prerequisite for any developer-facing team.
The AI Angle
PromptMink marks a genuine turning point: threat actors are now weaponizing the trust signals developers associate with AI coding tools. By embedding malicious code into an AI co-authored commit, DPRK operators demonstrated that malware can ride the perceived legitimacy of automated development assistants — converting a productivity trend into a security awareness blind spot at scale.
This is exactly where AI-powered security platforms earn their place. Tools like ReversingLabs Spectra Assure (a software supply chain security platform that analyzes packages for malicious behavior before integration) and Socket Security (which monitors npm and PyPI packages in real time for suspicious runtime behaviors such as unexpected network calls or file system access during installation) are built to catch what AI coding assistants and traditional antivirus miss. They analyze behavior rather than known-bad signatures, making them far more resilient against rapidly evolving payloads like PromptMink's 85MB SEA variant. Pairing these tools with curated threat intelligence feeds — such as SEAL domain blocklists and ReversingLabs advisories — gives your security team early warning before malicious packages reach your build pipeline. As attackers automate and AI-accelerate their operations, defenders need tooling that can keep pace.
What Should You Do? 3 Action Steps
Run a full software composition analysis (SCA) scan — automated scanning of your project's third-party dependencies for vulnerabilities and malicious code — across all active projects today. Tools like Socket Security, Snyk, or ReversingLabs Spectra Assure can identify packages matching PromptMink indicators of compromise (IOCs — specific technical fingerprints of known-bad software). After auditing, enforce dependency pinning: lock every package to an exact, cryptographically verified version hash in your lockfiles (package-lock.json, requirements.txt). This is one of the most effective cybersecurity best practices available for preventing attackers from slipping a malicious update past your team under a trusted package name. Integrate SCA directly into your CI/CD pipeline so every future dependency change is automatically reviewed.
The Axios compromise succeeded because a real developer was deceived by a convincing fake. Establish a verified identity protocol for all external contributors: video-verify via a channel you initiate independently (not a link the other party provides), confirm organizational details through public business registries, and require multi-person approval before any outside contributor can modify package configuration files. Extend your security awareness program to explicitly cover supply chain impersonation tactics — fake LLCs, fraudulent meeting invites, and AI-generated communications designed to manufacture trust. These cybersecurity best practices are now fundamental for any developer team operating in a remote-first environment where face-to-face verification is rare.
Generic incident response plans are insufficient for supply chain breaches. Build a dedicated playbook that includes: (1) rapid dependency impact analysis — mapping exactly which internal projects and customer-facing products pulled an affected package version; (2) immediate credential and API key rotation for any environment that executed the compromised dependency; (3) a customer and regulatory notification decision tree, because your data protection obligations under GDPR, CCPA, or HIPAA may be triggered; and (4) a coordination template for working with affected registries and package maintainers to expedite removal. Run a tabletop exercise (a simulated walkthrough of your response plan without a real attack) with both technical and legal stakeholders at least twice per year, and subscribe to threat intelligence feeds such as SEAL disclosures and OSS-Fuzz alerts to shorten your future detection windows.
Frequently Asked Questions
How can I tell if my project downloaded a malicious npm package from the DPRK PromptMink campaign?
Start by cross-referencing your project's dependency list against the indicators of compromise (IOCs) published by ReversingLabs and the Security Alliance (SEAL). Run npm audit and supplement it with Socket Security, which checks packages for suspicious runtime behaviors during installation. Pay particular attention to packages with names resembling validation or SDK utilities (such as @validate-sdk/v2), packages added via AI-assisted commits, and any dependencies introduced between October 2025 and April 2026. If you identify a match, immediately trigger your incident response process: isolate affected systems, rotate all credentials accessible from those environments, and evaluate your data protection notification obligations under applicable regulations.
How do North Korean hackers use fake companies to compromise open-source software maintainers?
DPRK-linked actors like STARDUST CHOLLIMA construct convincing fake organizational identities — LLC registrations, professional websites, and business email domains — to approach open-source maintainers under the guise of legitimate collaboration or employment opportunities. They then use impersonated communication platforms such as spoofed Microsoft Teams or Zoom meeting links (164 such domains were blocked by SEAL between February and April 2026) to build rapport and eventually request repository access or convince maintainers to run malicious tooling. Effective security awareness for developer teams must include a mandatory identity verification protocol using independently confirmed contact details — never links or information provided by the contact requesting access.
What cybersecurity best practices should developers follow to prevent AI-assisted supply chain attacks in 2026?
Several cybersecurity best practices are now specifically relevant to AI-assisted development environments. First, treat AI coding tool suggestions as unverified drafts — always manually audit any dependency an AI tool recommends before adding it to your project. Second, integrate SCA tooling into your CI/CD pipeline to automatically block unapproved dependency changes. Third, enforce code signing (a cryptographic method for verifying that code has not been tampered with) on commits that touch package configuration files. Fourth, implement multi-person approval for dependency additions. Fifth, prune unused dependencies regularly to minimize your attack surface. Maintaining active threat intelligence subscriptions to registry abuse feeds and security advisories will give your team early warning of campaigns like PromptMink before they reach your codebase.
What is the WAVESHAPER.V2 backdoor and what are my data protection obligations if my systems were exposed?
WAVESHAPER.V2 is a fully functional RAT (Remote Access Trojan — malware that grants an attacker remote control and surveillance access to an infected machine) deployed by STARDUST CHOLLIMA through the compromised Axios npm package versions 1.14.1 and 0.30.4 in March 2026. It runs on Windows, macOS, and Linux and is described by Google's Threat Intelligence Group as having broad reconnaissance capabilities — including keystroke logging, file access, screenshots, and data exfiltration (secretly transmitting data to an attacker's server). If any system in your environment ran an Axios-dependent application using either compromised version, your data protection obligations may be triggered: GDPR requires supervisory authority notification within 72 hours of discovering a breach, and CCPA and HIPAA impose similar requirements. Engage your incident response team and a qualified privacy attorney immediately if you suspect exposure.
How should a small business structure its incident response plan to handle open-source supply chain compromises differently from a standard data breach?
Supply chain compromises require a broader blast-radius assessment than a credential breach or phishing incident. A malicious package can simultaneously affect every system — and potentially every customer — running an application with that dependency. Your incident response plan should include a rapid downstream impact analysis that maps which internal projects, deployed applications, and customer-facing products used the affected package and version range. Build a notification decision tree that maps your data protection obligations (GDPR, CCPA, HIPAA as applicable) to the categories of data that could have been accessed by the malicious payload. Coordinate with the affected registry and package maintainer to ensure removal of malicious versions. Subscribe to threat intelligence sources like SEAL disclosures and ReversingLabs advisories to reduce time-to-detection for future incidents, and practice the full playbook in a tabletop exercise with both technical and legal teams at least twice per year.
Disclaimer: This article is for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs.
No comments:
Post a Comment