Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
Campaign
Summary
Hide ▲
Show ▼
The PromptMink campaign is widening Famous Chollima's supply-chain intrusion playbook by pushing tainted npm packages into developer environments and stealing secrets. The operation targets Web3 developers and can expose crypto wallets, funds, source code, and other intellectual property. Its layered dependency chain and AI-generated code make the malicious packages harder to detect and easier to swap when removed. The same activity has also spread into related PyPI and GitHub-hosted delivery paths.
Related Happenings
Malware-Slop malicious npm file-theft campaign
Campaign
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Malware-Slop malicious npm file-theft campaign
CampaignAbout this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware Activity
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware ActivityAbout this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
TrapDoor trap-core.js credential-stealing package malware
Malware Activity
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor trap-core.js credential-stealing package malware
Malware ActivityAbout this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor cross-ecosystem supply-chain campaign
Campaign
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
TrapDoor cross-ecosystem supply-chain campaign
CampaignAbout this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
Packagist package.json hook supply chain attack campaign
Campaign
First: 23.05.2026 19:07
Last: 23.05.2026 19:07
Sources 1
About this happening:
A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...
Packagist package.json hook supply chain attack campaign
CampaignAbout this happening: A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...
Timeline
-
29.04.2026 17:43 2 articles · 28d ago
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
Initial DisclosureThe earliest PromptMink layer surfaced as a benign-looking **npm** SDK uploaded in **October 2025** that concealed secret-stealing behavior behind a dependency chain. That initial phase focused on compromising developer systems and harvesting credentials before later variants added broader exfiltration and backdoor capability.
Show sources
- New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs — thehackernews.com — 29.04.2026 17:43
- New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs — thehackernews.com — 29.04.2026 17:43