Feed
HighPublished 29 Apr 2026Updated 10 Jun 202610 packages · 36 versions

DPRK "PromptMink" campaign uses AI agents to insert @validate-sdk/v2 dependency

Summary

ReversingLabs traced a DPRK Famous Chollima / UNC1069 campaign that began with @hash-validator/v2 in Sept 2025 and evolved through Feb 28, 2026 to insert @validate-sdk/v2 as the malicious dependency of benign-looking "bait" SDKs aimed at AI coding agents. One AI-authored commit pulled @solana-launchpad/sdk into a crypto trading repo. Phase 4 in March 2026 used Rust NAPI modules and 85MB Node SEA bundles to exfiltrate full source trees. 300+ malicious package versions across 60+ unique packages observed.

credential-theftcrypto-wallet-draininfostealerprompt-injection
Threat actor
Famous Chollima / UNC1069 (DPRK)
Detected by
ReversingLabs · GitHub Advisory Database
Also known as
PromptMink · Contagious Interview successor
Ecosystems
npmPyPI
Packages tracked
10

What happened

ReversingLabs published the PromptMink write-up on April 29, 2026, attributing a long-running multi-phase campaign to North Korea's Famous Chollima / UNC1069 cluster. The campaign began in September 2025 with @hash-validator/v2 as the malicious dependency and evolved through Feb 28, 2026 into the longer-lived @validate-sdk/v2 line, eventually spanning 300+ malicious versions across 60+ unique packages.

The novelty is the delivery shape: rather than typosquatting directly, the operators built deliberately benign-looking "bait" SDKs targeting AI coding agents — @meme-sdk/trade, @solana-launchpad/sdk, @validate-ethereum-address/core, @pumpfun-ipfs/sdk and similar Web3 / Solana names — that declare @validate-sdk/v2 (or its predecessor) as a transitive dependency. The malicious payload thus arrives one level down the dependency tree, where lockfile review is less attentive.

ReversingLabs documented at least one AI-agent-authored commit that pulled @solana-launchpad/sdk into a real crypto-trading repo. That single commit then transitively pulled in the malicious validator. This is the first publicly-documented case of an AI coding agent's own commit being the vector for a North Korean supply-chain implant.

Phase 4 of the campaign (March 2026) moved up the technical ladder: Rust NAPI native modules plus 85 MB Node Single-Executable-Application (SEA) bundles capable of exfiltrating an entire source tree, not just credentials. If you allow AI agents to add dependencies, require human review on any commit that touches package.json or package-lock.json, and audit lockfiles for the named bait packages.

2026-06-10 update — npm security-holds the bait SDKs

On 2026-06-10 npm-support pushed 0.0.1-security security-hold replacements over three of the PromptMink bait names that had not previously been delisted, and the GitHub Advisory Database filed standalone CWE-506 advisories for each:

  • @meme-sdk/tradeGHSA-4c2m-9v9c-75xv covers the original two releases 1.0.0 and 1.0.1 (both 2025-10-24)
  • @validate-ethereum-address/coreGHSA-c29q-842f-rcjc covers 1.0.3, 1.0.4 (2025-10-31) and 1.0.5, 1.0.6 (2025-11-25)
  • @validator-sdk/pubkeyGHSA-w9ch-gj3p-2cj9 covers the entire eight-release batch published on 2025-10-31 (1.0.0, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8)

Third-party news write-ups on 2026-06-10 grouped these GHSAs with the unrelated dbmux maintainer takeover and the SeedSweep aicrypto-xzggg drop and framed them as a single "coordinated wave". The naming, mechanics, and timeline all match the PromptMink bait packages first disclosed by ReversingLabs in April; the new identifier is the npm security-hold and the GHSA-level attribution, not a fresh actor. Treat the new GHSAs as supporting evidence for this incident rather than a separate event.

Affected packages (10)

  • npm@hash-validator/v2
  • npm@meme-sdk/trade
    1.0.01.0.1
  • npm@pumpfun-ipfs/sdk
  • npm@solana-ipfs/sdk
  • npm@solana-launchpad/sdk
  • npm@solmasterv3/solana-metadata-sdk
  • npm@validate-ethereum-address/core
    1.0.31.0.41.0.51.0.6
  • npm@validate-sdk/v2
    1.22.111.22.121.22.131.22.141.22.151.22.161.22.171.22.181.22.191.22.201.22.211.22.221.22.231.22.241.22.251.22.261.22.271.22.281.22.291.22.301.22.31
  • npm@validator-sdk/pubkey
    1.0.01.0.21.0.31.0.41.0.51.0.61.0.71.0.8
  • PyPIscraper-npm
    1.0.4

Impact

  • Crypto wallet and SSH credential theft via AI-agent-authored commits
  • 300+ malicious package versions across 60+ unique packages observed
  • Source-tree exfiltration of entire projects via Rust NAPI modules

What to do

  1. 1Block and audit for the named bait/payload packages in lockfiles and agent history
  2. 2Require human review on dependency-changing commits authored by AI agents
  3. 3Rotate SSH keys, AWS keys, .npmrc credentials, and wallet seeds for any affected dev box

References

multi-2026-04-29-promptmink-validate-sdk