PromptMink malicious npm dependency stealing secrets and crypto wallets
Malware Activity
Summary
Hide ▲
Show ▼
The PromptMink malicious npm dependency now poses an immediate theft risk because it is stealing sensitive data and exposing crypto wallets from infected environments. The package @validate-sdk/v2 was disguised as a validation tool while quietly exfiltrating secrets. It was tied to an AI-assisted code commit and first introduced in February 2026. The payload later added persistence and broader cross-platform reach, increasing the scope of compromise.
Related Happenings
Asteroiddao hit by network compromise
Incident
H score13
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**asteroiddao** suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider **supply-chain attack**. The account was used t...
Asteroiddao hit by network compromise
IncidentAbout this happening: **asteroiddao** suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider **supply-chain attack**. The account was used t...
Vpmdhaj npm preinstall credential-harvest campaign
Campaign
H score40
First: 29.05.2026 12:11
Last: 29.05.2026 12:11
Sources 1
About this happening:
A new **vpmdhaj** supply-chain campaign has surfaced in **14 malicious npm packages** that use a **preinstall credential harvester** to steal **AWS credentials**, **HashiCorp Vaul...
Vpmdhaj npm preinstall credential-harvest campaign
CampaignAbout this happening: A new **vpmdhaj** supply-chain campaign has surfaced in **14 malicious npm packages** that use a **preinstall credential harvester** to steal **AWS credentials**, **HashiCorp Vaul...
TrapDoor cross-ecosystem supply-chain campaign
Campaign
H score38
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
TrapDoor cross-ecosystem supply-chain campaign
CampaignAbout this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
Shai-Hulud worm clone activity on NPM
Malware Activity
H score69
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Inactive maintainer account 'atiertant' hit by network compromise
Incident
H score13
First: 15.05.2026 20:10
Last: 15.05.2026 20:10
Sources 1
About this happening:
The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Inactive maintainer account 'atiertant' hit by network compromise
IncidentAbout this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Timeline
-
29.04.2026 17:00 2 articles · 2mo ago
PromptMink malicious npm dependency steals secrets and exposes crypto wallets
Initial DisclosureResearchers at ReversingLabs found the malicious npm package @validate-sdk/v2, disguised as a validation tool and added to an autonomous trading agent in February 2026, stealing sensitive data, exfiltrating secrets from infected environments, and exposing crypto wallets; attribution points to North Korean state-sponsored actor Famous Chollima (APT37 or Reaper), and the commit was reportedly co-authored by Anthropic's Claude Opus model.
Show sources
- Malicious npm Dependency Linked to AI Assisted Commit Targets Crypto Wallets — www.infosecurity-magazine.com — 29.04.2026 17:00
- Malicious npm Dependency Linked to AI Assisted Commit Targets Crypto Wallets — www.infosecurity-magazine.com — 29.04.2026 17:00