Famous Chollima Got Claude to Co-Author Their Crypto Stealer

# Famous Chollima Got Claude to Co-Author Their Crypto Stealer

ReversingLabs disclosed today that the North Korean threat actor Famous Chollima — also tracked as Shifty Corsair, the same group behind the Contagious Interview and IT Worker scam campaigns — has been running a multi-month npm supply chain attack against the Solana cryptocurrency ecosystem. The campaign has been codenamed PromptMink. The most striking detail is not the package compromise itself, which is straightforward typosquat-and-hijack work. It is the commit history.

The malicious dependency was added to an autonomous trading agent in a commit dated February 28, 2026. The commit was co-authored by Anthropic's Claude Opus large language model. A North Korean intelligence apparatus used Claude — through a developer who was either a Famous Chollima asset or an unwitting victim of social engineering — to write a commit that introduced a credential stealer into a Solana trading bot.

This is the sentence the entire defensive industry has been trying to draft a response to since the day GPT-4 shipped. ReversingLabs just provided the reference incident.

The Two-Layer Architecture

PromptMink uses a deliberate two-layer package design that helps the campaign evade automated package scanners and survive takedowns.

The first layer is benign-looking utility wrappers around legitimate Solana ecosystem APIs. Six packages so far: @solana-launchpad/sdk, @meme-sdk/trade, @validate-ethereum-address/core, @solmasterv3/solana-metadata-sdk, @pumpfun-ipfs/sdk, and @solana-ipfs/sdk. Each one ships real Solana functionality. Each one also lists a long dependency tree that mixes popular legitimate packages — axios, bn.js, bs58 — with one or two malicious packages from the second layer hidden among them. Automated package scanners flag the second-layer malicious packages quickly. The first-layer wrappers, which contain no malicious code in their own source, look clean.

The second layer is where the actual credential stealer lives. Two packages identified so far: @validate-sdk/v2, the current active stealer, and @hash-validator/v2, the original (uploaded September 2025). When the second-layer package is detected and removed from npm, the operators replace it with a renamed twin within hours. The first-layer wrappers do not change; they just point at the new dependency name. Resilience by design.

The result is a supply chain attack that survives takedown cycles. Every time a defender successfully removes the malicious dependency, the attackers ship a new one and update the wrapper. The downstream victim — the developer of openpaw-graveyard, the autonomous Solana agent that pulled in this dependency tree — keeps installing the chain through their build, and keeps surrendering wallet credentials to whoever is operating the second-layer package this week.

The Claude Co-Author Detail

The commit was made by a developer working on openpaw-graveyard, an autonomous AI agent that creates social on-chain identities on Solana, trades cryptocurrency through Bankr, and interacts with other agents on the Tapestry Protocol and Moltbook. That commit was co-authored — visible in the git trailer — by Anthropic's Claude Opus model. ReversingLabs documented this directly.

We do not yet know whether the human collaborator was a Famous Chollima operator using Claude as their coding assistant, or an honest developer whose Claude session was prompt-injected, or a fake-IT-worker hire (the Famous Chollima signature pattern) using Claude to write code that the actual North Korean operator had pre-positioned the malicious dependency for. All three scenarios are possible. The campaign's documented connection to the IT Worker scam — where DPRK operatives place themselves at Western tech companies under false identities and run remote-developer roles — makes the third scenario the most plausible. A DPRK asset, hired into a Solana shop under a fake résumé, asks Claude to "add a hashing utility for wallet validation," and Claude returns a package.json change that pulls @validate-sdk/v2. The commit gets co-authored. The malicious dependency is now in main.

This is the IT Worker scam reaching its logical extreme. Hire DPRK developers, give them access to your codebase, let them collaborate with state-of-the-art AI to draft the commits that backdoor your product. The AI is not the attacker. The AI is the productivity tool that makes the attacker indistinguishable from a competent collaborator.

We have written about the AI-as-productivity-tool-for-attackers pattern before. This is the first incident I am aware of where the git trailer carries the receipt.

The Targets

PromptMink targets Solana crypto wallets and funds. The downstream consumer of the malicious dependency tree is openpaw-graveyard, an autonomous AI agent that holds operating wallet keys to execute trades. When the malicious dependency runs at install time on a developer machine, it harvests wallet credentials and funds. When it runs in CI or in production, it harvests the agent's own operating wallet.

Solana ecosystem packages are the obvious target because they sit at the intersection of three properties Famous Chollima loves. First, the developers are typically running long-lived hot wallets for testing, with non-trivial balances. Second, the build pipelines are aggressive about pulling fresh dependencies because the ecosystem moves fast. Third, the financial motive aligns with the broader DPRK strategy of crypto theft as state revenue — the regime has stolen more than three billion dollars in cryptocurrency since 2022 to fund weapons programs.

PyPI variants exist as well, per JFrog's earlier coverage. The campaign is not npm-exclusive. Wherever AI coding agents touch crypto code, Famous Chollima is staging dependencies.

Why This One Lands Differently

We have indexed dozens of npm supply chain attacks. Lazarus and adjacent DPRK clusters have been running variants of this since at least 2023. What makes PromptMink different is the documentation of an LLM as a co-author of the malicious commit. That is a documented incident — not speculation, not a hypothetical, not a fear-mongering threat-report headline. It is in the git history.

The defensive implications are not subtle. Code review processes that assume "the AI helped write it, so the diff is small and safe" are wrong. The size of the diff is unrelated to its risk. A one-line package.json change that adds a new dependency name is an arbitrary code execution capability for whoever owns that dependency name. AI-assisted coding accelerates the rate at which dependencies enter codebases. Famous Chollima built a campaign that exploits the velocity rather than the technology. The technology — Claude, npm, Solana — is doing exactly what it is supposed to do. The trust model is the bug.

What We Indexed

Our IOC index now carries the eight known PromptMink npm packages, six first-layer wrappers and two second-layer stealers. Famous Chollima / Shifty Corsair gets a refreshed threat-actor entry consolidating the Contagious Interview, IT Worker scam, and PromptMink campaigns under the same operator. The behavioral indicator — git commits co-authored by Claude or any LLM where the diff includes a new package.json dependency — is logged as a hunt rule, not because LLM co-authorship is itself malicious but because every commit of that shape needs the dependency vetted.

The package list as of today: first-layer (@solana-launchpad/sdk, @meme-sdk/trade, @validate-ethereum-address/core, @solmasterv3/solana-metadata-sdk, @pumpfun-ipfs/sdk, @solana-ipfs/sdk), second-layer (@validate-sdk/v2, @hash-validator/v2). The downstream impacted package is openpaw-graveyard, with cascading impact to anything that imports openpaw-graveyard either directly or transitively.

What to Do Tonight

For Solana developers: audit your lockfile for any of the eight named packages. If they are present, treat your wallet as compromised. Rotate keys, move funds, regenerate signing material. Audit the git history of any agent project for commits with Claude or other LLM co-authorship trailers, and check those commits for new dependency additions specifically.

For organizations using AI coding assistants in production codebases: you need a code review policy specifically for AI-co-authored commits where dependencies change. The diff being small does not make it safe. The dependency name is the executable artifact, not the diff. Pin to known dependencies, audit additions, treat AI-suggested package additions with the same suspicion you would treat a freshly-registered domain in a phishing email.

For organizations operating IT-worker-scam-target hiring pipelines (most Western tech companies fit this category whether they realize it or not): the FBI, CISA, NSA, and Treasury have published joint advisories on the Famous Chollima IT Worker scam pattern. Re-read them. The signal is video calls where the candidate cannot turn the camera on, addresses that resolve to mail-forwarding services, references that do not pass back-channel verification, and laptop shipment requests to addresses different from the listed home address. Famous Chollima is not just a malware operator. They are an HR threat.

The Pattern Once More

A nation-state actor used a state-of-the-art AI coding assistant to commit malicious code into an autonomous trading agent. The AI did exactly what it was asked to do. The human asking was working for a hostile intelligence service. The defensive system that exists today does not distinguish between the legitimate developer and the hostile contractor when both are running the same coding agent on the same codebase under the same git account.

That is the structural problem. The AI is a force multiplier in both directions. Famous Chollima just published the receipt that proves it.

We will keep watching the package registry. The IOCs are indexed.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.