DPRK "PromptMink" campaign uses AI agents to insert @validate-sdk/v2 dependency
ReversingLabs traced a DPRK Famous Chollima / UNC1069 campaign that began with @hash-validator/v2 in Sept 2025 and evolved through Feb 28, 2026 to insert @validate-sdk/v2 as the malicious dependency of benign-looking "bait" SDKs aimed at AI coding agents. One AI-authored commit pulled @solana-launchpad/sdk into a crypto trading repo. Phase 4 in March 2026 used Rust NAPI modules and 85MB Node SEA bundles to exfiltrate full source trees. 300+ malicious package versions across 60+ unique packages observed.
- Threat actor
- Famous Chollima / UNC1069 (DPRK)
- Detected by
- ReversingLabs · GitHub Advisory Database
- Also known as
- PromptMink · Contagious Interview successor
- Ecosystems
- npmPyPI
- Packages tracked
- 10
What happened
ReversingLabs published the PromptMink write-up on April 29, 2026, attributing a long-running multi-phase campaign to North Korea's Famous Chollima / UNC1069 cluster. The campaign began in September 2025 with @hash-validator/v2 as the malicious dependency and evolved through Feb 28, 2026 into the longer-lived @validate-sdk/v2 line, eventually spanning 300+ malicious versions across 60+ unique packages.
The novelty is the delivery shape: rather than typosquatting directly, the operators built deliberately benign-looking "bait" SDKs targeting AI coding agents — @meme-sdk/trade, @solana-launchpad/sdk, @validate-ethereum-address/core, @pumpfun-ipfs/sdk and similar Web3 / Solana names — that declare @validate-sdk/v2 (or its predecessor) as a transitive dependency. The malicious payload thus arrives one level down the dependency tree, where lockfile review is less attentive.
ReversingLabs documented at least one AI-agent-authored commit that pulled @solana-launchpad/sdk into a real crypto-trading repo. That single commit then transitively pulled in the malicious validator. This is the first publicly-documented case of an AI coding agent's own commit being the vector for a North Korean supply-chain implant.
Phase 4 of the campaign (March 2026) moved up the technical ladder: Rust NAPI native modules plus 85 MB Node Single-Executable-Application (SEA) bundles capable of exfiltrating an entire source tree, not just credentials. If you allow AI agents to add dependencies, require human review on any commit that touches package.json or package-lock.json, and audit lockfiles for the named bait packages.
2026-06-10 update — npm security-holds the bait SDKs
On 2026-06-10 npm-support pushed 0.0.1-security security-hold replacements over three of the PromptMink bait names that had not previously been delisted, and the GitHub Advisory Database filed standalone CWE-506 advisories for each:
@meme-sdk/trade—GHSA-4c2m-9v9c-75xvcovers the original two releases1.0.0and1.0.1(both 2025-10-24)@validate-ethereum-address/core—GHSA-c29q-842f-rcjccovers1.0.3,1.0.4(2025-10-31) and1.0.5,1.0.6(2025-11-25)@validator-sdk/pubkey—GHSA-w9ch-gj3p-2cj9covers the entire eight-release batch published on 2025-10-31 (1.0.0,1.0.2,1.0.3,1.0.4,1.0.5,1.0.6,1.0.7,1.0.8)
Third-party news write-ups on 2026-06-10 grouped these GHSAs with the unrelated dbmux maintainer takeover and the SeedSweep aicrypto-xzggg drop and framed them as a single "coordinated wave". The naming, mechanics, and timeline all match the PromptMink bait packages first disclosed by ReversingLabs in April; the new identifier is the npm security-hold and the GHSA-level attribution, not a fresh actor. Treat the new GHSAs as supporting evidence for this incident rather than a separate event.
Affected packages (10)
- npm
@hash-validator/v2 - npm
@meme-sdk/trade1.0.01.0.1 - npm
@pumpfun-ipfs/sdk - npm
@solana-ipfs/sdk - npm
@solana-launchpad/sdk - npm
@solmasterv3/solana-metadata-sdk - npm
@validate-ethereum-address/core1.0.31.0.41.0.51.0.6 - npm
@validate-sdk/v21.22.111.22.121.22.131.22.141.22.151.22.161.22.171.22.181.22.191.22.201.22.211.22.221.22.231.22.241.22.251.22.261.22.271.22.281.22.291.22.301.22.31 - npm
@validator-sdk/pubkey1.0.01.0.21.0.31.0.41.0.51.0.61.0.71.0.8 - PyPI
scraper-npm1.0.4
Impact
- Crypto wallet and SSH credential theft via AI-agent-authored commits
- 300+ malicious package versions across 60+ unique packages observed
- Source-tree exfiltration of entire projects via Rust NAPI modules
What to do
- 1Block and audit for the named bait/payload packages in lockfiles and agent history
- 2Require human review on dependency-changing commits authored by AI agents
- 3Rotate SSH keys, AWS keys, .npmrc credentials, and wallet seeds for any affected dev box
References
- ReversingLabsReversingLabs: PromptMink — AI agents and DPRK malwarereversinglabs.com
- GitHubGHSA-4c2m-9v9c-75xv: Malicious code in @meme-sdk/tradegithub.com
- GitHubGHSA-c29q-842f-rcjc: Malicious code in @validate-ethereum-address/coregithub.com
- GitHubGHSA-w9ch-gj3p-2cj9: Malicious code in @validator-sdk/pubkeygithub.com