New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs

Summary

The North Korean threat actor Famous Chollima (also known as Shifty Corsair) is executing a sophisticated, multi-stage malware campaign targeting the Web3 and open-source developer ecosystem. The attack utilizes AI-generated code, fake companies, and layered npm/PyPI dependencies to deploy Remote Access Trojans (RATs) designed to steal cryptocurrency credentials and intellectual property.

Key Points

• Employs a layered dependency strategy where initial packages (e.g., @solana-launchpad/sdk, @meme-sdk/trade) are benign but import malicious second-layer packages like @validate-sdk/v2.
• Utilizes AI-generated code, including commits co-authored by Anthropic's Claude Opus, to evade detection by automated coding assistants and human developers.
• Implements a "Matryoshka Doll" deployment chain (e.g., bjs-biginteger $\rightarrow$ bjs-lint-builder) to progressively install stealers.
• Leverages NAPI-RS to create pre-compiled Node.js add-ons in Rust, reducing payload size from previous 85MB Node.js Single Executable Applications (SEA) to more efficient, smaller binaries.
• Manipulates the resolved field in package-lock.json to instruct package managers to fetch malicious dependencies directly from GitHub release artifacts rather than the official npm registry.
• Integrates legitimate libraries such as socket.io-client for C2 communication, screenshot-desktop for screen capture, and @nut-tree-fork/nut-js for remote mouse and keyboard control.
• Uses social engineering via fake entities (e.g., Veltrix Capital, Blockmerce, Bridgers Finance) and fraudulent job interviews to distribute malicious GitHub-hosted projects.

Technical Details

The malware campaign, identified as PromptMink, has evolved from simple JavaScript-based stealers that recursively scan directories for .env and .json files to sophisticated, multi-platform harvesters targeting Windows, Linux, and macOS. Early iterations exfiltrated data to Vercel-hosted URLs, specifically ipfs-url-validator.vercel.app. To maintain stealth, the threat actors utilize typosquatting and create malicious versions of functions found in popular packages like axios and bn.js.

The attack architecture relies heavily on transitive dependencies to hide malicious logic deep within the dependency tree. In the "graphalgo" campaign, the threat actors bypass the npm registry entirely by using the resolved field in package-lock.json to point to malicious artifacts hosted on GitHub. The payload capabilities have matured into a full Remote Access Trojan (RAT) with features including browser credential theft, clipboard monitoring, keylogging, and the ability to establish persistent access via SSH backdoors. The use of NAPI-RS allows the attackers to deploy highly efficient, compiled Rust payloads that are harder to reverse-engineer than standard obfuscated JavaScript.

Impact / Why It Matters

Developers and organizations are at high risk of total project compromise and loss of digital assets through compromised transitive dependencies and social engineering. Security audits should specifically focus on inspecting package-lock.json for suspicious resolved URLs and monitoring for unauthorized outbound traffic to known malicious infrastructure.