Threat Intelligence

North Korea Uses AI to Plant npm Malware via Fake U.S. Companies in Escalating Developer Campaign

The CyberSignal

The CyberSignal

4 min read
Share
Compromised code package spreading through connected nodes with hidden malicious link, representing AI-driven npm supply chain attack targeting developers and crypto systems.

North Korean threat actors have escalated their developer-targeting campaign by using an AI large language model to insert malicious npm dependencies into legitimate projects — operating through fake U.S.-registered companies and deploying full-featured remote access trojans targeting cryptocurrency wallets and developer infrastructure.

GLOBAL — Cybersecurity researchers at ReversingLabs have documented a significant evolution in North Korea's ongoing software supply chain attack operations. In findings published April 29, 2026, the firm describes how threat actors assessed to overlap with the Famous Chollima cluster used Anthropic's Claude Opus large language model to insert a malicious npm package as a dependency into a legitimate developer project in February 2026. The campaign layers AI-assisted malware insertion, multi-stage obfuscated packages, fake U.S.-registered business entities, and remote access trojans capable of comprehensive post-compromise control — with confirmed cryptocurrency theft exceeding $12 million in the first three months of 2026 alone.

Campaign Overview: DPRK npm Supply Chain Operation
Field Details
Threat ActorFamous Chollima / UNC1069 — overlaps with BlueNoroff, Sapphire Sleet, Stardust Chollima
Campaign ActiveAt least February 2026 — ongoing as of publication
AI Tool AbusedClaude Opus (Anthropic) — used by AI agent to insert malicious package as legitimate code dependency
Attack VectorMalicious npm packages inserted as dependencies; also PyPI (package: scraper-npm)
Cover InfrastructureFake Florida LLC registered to establish publisher credibility; C2 hosted on Vercel
Primary TargetsDevelopers, cryptocurrency platforms, Web3 organizations
Confirmed Crypto StolenUp to $12M in Q1 2026 (Expel research)
Domains Blocked164 UNC1069-linked domains impersonating Microsoft Teams and Zoom blocked by SEAL (Feb 6 – Apr 7, 2026)

What Happened

The attack uses a layered architecture specifically designed to survive detection and removal. First-layer npm packages contain no malicious code but import second-layer packages that carry the actual payloads. If second-layer packages are detected and removed from npm, they are rapidly replaced with new variants. This refresh cycle has allowed the campaign to remain operational across multiple detection rounds since February 2026.

The package identified as the AI-inserted entry point — @validate-sdk/v2 — was presented as a legitimate utility SDK for hashing, validation, encoding, and secure random generation. An AI agent running Claude Opus added it as a dependency to a developer project, making the insertion look like a routine development decision rather than a manual injection. The technique offloads the social engineering step to an automated agent, removing a significant human bottleneck from the attack chain.

Payload Capabilities

The Windows variant delivered via the license-utils-kit package functions as a complete post-compromise implant. According to Socket researchers, it is capable of the following:

RAT Capabilities — Windows Implant (license-utils-kit)
Capability Details
Remote AccessDeploys AnyDesk for persistent, hidden remote desktop access
Credential TheftHarvests browser credentials, password manager data, and SSH keys
Crypto TargetingDetects MetaMask extension; targets wallet credentials and signing keys
KeyloggingFull keystroke logging and clipboard theft
File OperationsUpload/download files; create encrypted archives; exfiltrate entire project directories
Secret ScanningRuns TruffleHog to scan Git repositories for exposed secrets and API keys
PersistenceVS Code tasks.json abuse — executes on every project folder open via runOn: folderOpen trigger
Shell ExecutionArbitrary shell command execution; terminate browser processes; download additional modules

Scope and Impact

Expel's independent research identified that wallets holding up to $12 million in cryptocurrency assets were exfiltrated from victims in the first three months of 2026. Security Alliance (SEAL) blocked 164 UNC1069-linked domains impersonating Microsoft Teams and Zoom between February 6 and April 7, 2026. The multi-track nature of the campaign — npm packages, PyPI packages, and fake meeting links simultaneously — reflects a well-resourced, high-tempo operation.

The campaign has also extended to PyPI with a package named scraper-npm carrying equivalent functionality. More recent iterations use Rust-compiled payloads to exfiltrate entire project source trees via SSH. Earlier versions used JavaScript-based stealers targeting .env and .json files, staging data for exfiltration to a Vercel URL previously associated with Famous Chollima infrastructure.

Response and Attribution

Attribution to Famous Chollima is high-confidence based on infrastructure overlaps, C2 patterns, and behavioral consistency documented across multiple independent research teams. Anthropic confirmed awareness of the Claude Opus abuse. Cursor blocked the associated accounts and IP addresses within one business day of notification. OpenAI confirmed a small number of associated accounts sought ChatGPT assistance. npm continues to remove identified packages, though rapid replacement means new packages continue to appear. Developers should not assume npm removal equates to campaign termination.

The CyberSignal Analysis

Signal 01 — AI Is Now an Active Participant in the Attack Chain

This is the first well-documented case of an AI LLM being used not to write malware, but as an active agent making insertion decisions that mimic legitimate developer behavior. The significance is not just technical — it is operational. When the insertion step is automated and indistinguishable from normal development activity, traditional code review triggers become less reliable. Security teams need to start treating AI-assisted commits and dependency additions as a category requiring additional scrutiny, particularly in projects touching financial infrastructure.

Signal 02 — A $125 Florida LLC Is Now a Trust Signal

Registering a Florida LLC costs roughly $125 and requires no meaningful identity verification. North Korea used this to make a malicious package publisher appear to be a legitimate U.S. business entity. Platform security teams and developers who rely on business registration as a credibility indicator need to recalibrate. The only meaningful trust signals for npm packages are publication history, download volume over time, community engagement, and code review — not business registration status.

Signal 03 — Web3 Developers Must Treat Their Workstations as Financial Infrastructure

The consistent targeting of .env files, MetaMask extensions, hardware wallet detection routines, and crypto signing keys across every iteration of this campaign tells a clear story: North Korea views developer workstations in Web3 organizations as direct access points to liquid assets. Dependency auditing, lockfiles, isolated build environments, and hardware key management are no longer optional hygiene — they are financial security controls. See also: our full explainer on supply chain cyberattacks.

Sources

Type Source
Primary ResearchThe Hacker News — New Wave of DPRK Attacks (ReversingLabs)
Campaign IntelExpel — Inside Lazarus: How North Korea Uses AI
ReportingThe Hacker News — N. Korean Hackers Spread 1,700 Malicious Packages
Social Eng. TrackDark Reading — DPRK Fake Job Scams Self-Propagate
BackgroundThe CyberSignal — Supply Chain Cyberattacks Explained

Read more