Find notable cyber news and cases, enriched with sources, timelines, and signals.

PromptMink malicious npm dependency stealing secrets and crypto wallets

Malware Activity
First reported
Last updated
Happening score
H score 35
1 unique sources, 1 articles

Summary

Hide ▲

The PromptMink malicious npm dependency now poses an immediate theft risk because it is stealing sensitive data and exposing crypto wallets from infected environments. The package @validate-sdk/v2 was disguised as a validation tool while quietly exfiltrating secrets. It was tied to an AI-assisted code commit and first introduced in February 2026. The payload later added persistence and broader cross-platform reach, increasing the scope of compromise.

Related Happenings

Asteroiddao hit by network compromise

Incident
H score13 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **asteroiddao** suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider **supply-chain attack**. The account was used t...

Vpmdhaj npm preinstall credential-harvest campaign

Campaign
H score40 First: 29.05.2026 12:11 Last: 29.05.2026 12:11 Sources 1

About this happening: A new **vpmdhaj** supply-chain campaign has surfaced in **14 malicious npm packages** that use a **preinstall credential harvester** to steal **AWS credentials**, **HashiCorp Vaul...

TrapDoor cross-ecosystem supply-chain campaign

Campaign
H score38 First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Inactive maintainer account 'atiertant' hit by network compromise

Incident
H score13 First: 15.05.2026 20:10 Last: 15.05.2026 20:10 Sources 1

About this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...

Timeline

  1. 29.04.2026 17:00 2 articles · 2mo ago

    PromptMink malicious npm dependency steals secrets and exposes crypto wallets

    Initial Disclosure

    Researchers at ReversingLabs found the malicious npm package @validate-sdk/v2, disguised as a validation tool and added to an autonomous trading agent in February 2026, stealing sensitive data, exfiltrating secrets from infected environments, and exposing crypto wallets; attribution points to North Korean state-sponsored actor Famous Chollima (APT37 or Reaper), and the commit was reportedly co-authored by Anthropic's Claude Opus model.

    Show sources