Just came across something pretty concerning that security researchers at ReversingLabs uncovered. Apparently a North Korean hacking group managed to slip malicious code into a popular crypto trading tool by disguising it in an npm package called PromptMink.

Here's how it went down: ReversingLabs discovered this backdoor was generated using Claude's AI model and planted into openpaw-graveyard, an open-source crypto project. The attackers behind this are from Famous Chollima, a state-sponsored group that's been running this operation since at least September 2025. Their approach is pretty sophisticated actually - they use a two-layer strategy where the first package looks clean but the second one carries the real payload. When devs remove the malicious version, they just push a replacement the same day.

What makes this worse is how the malware evolved. It's now compiled as a Rust payload that does some serious damage once installed. We're talking wallet credential theft, system information harvesting, source code extraction, and SSH key implantation for persistent backdoor access on both Linux and Windows machines.

ReversingLabs has been tracking this, and it's a stark reminder of how fragile the supply chain is in crypto. These attacks target the tools developers use every day, which means they can potentially compromise entire projects. The fact that they're using AI-generated code to evade detection makes it even trickier. If you're running crypto tools, especially anything pulling from npm packages, this is worth paying attention to. Make sure your dependencies are actually from trusted sources and keep your systems patched.