CYBERSECURITY researchers have uncovered a supply-chain-style campaign linked to North Korean actors, with the npm package activity codenamed PromptMink and a broader operation attributed to Famous Chollima (aka Shifty Corsair). The tainted package, named @validate-sdk/v2 and advertised as an SDK for hashing and validation, was first uploaded in October 2025 and is used to exfiltrate secrets from compromised environments, with the malware embedded in a February 2026 commit that involved Anthropic's Claude Opus LLM.
The attack chain relies on a two-layer package strategy, where initial layers import second-layer packages that perform the malicious actions, and attackers rapidly replace second-layer clusters if detected. The campaign is linked to other DPRK-led operations such as Contagious Interview and Contagious Trader, and researchers note the actor’s use of AI-generated code and a layered package approach to evade detection.
Graphalgo, a separate line of attack, uses fake companies and fake job interviews to drop malicious npm packages and deploy a RAT on victims’ systems, including capabilities to gather system information and exfiltrate credentials, with links to a Lazarus sub-cluster including BlueNoroff. According to ReversingLabs, these developments illustrate a growing sophistication in DPRK threat activities targeting developers in the open-source and Web3 spaces.