North Korean Hackers Used Claude AI to Insert PromptMink Malware Into Open-Source Crypto Project

ReversingLabs discovered that North Korean threat group Famous Chollima used Anthropic's Claude Opus to co-author a February 28, 2026 commit to the openpaw-graveyard crypto trading agent that added the malicious npm package @validate-sdk/v2. The package siphoned credentials, planted persistent SSH access, and stole source code enabling wallet takeover. The campaign uses 'LLM Optimization abuse' — attackers write highly detailed documentation to trick AI coding agents into recommending malicious packages. The malware evolved from a 5.1KB JavaScript infostealer to compiled Rust payloads. This represents a new class of AI-enabled supply chain attack targeting AI-assisted development workflows.