Skip to content

AI coding tools open new door for crypto malware, researchers warn

AI coding tools open new door for crypto malware, researchers warn
Share this article

Researchers warned that crypto developers are being targeted by malicious software packages that can slip into projects through AI coding tools and steal wallet credentials, passwords and funds.

ReversingLabs said its researchers found that a package called @validate-sdk/v2, which appeared to be a normal data-validation tool, was actually designed to steal sensitive information from the systems where it was installed.

ReversingLabs said the malicious package reached the crypto trading agent through another crypto-related package that had been added with help from Anthropic’s Claude Opus.

Crypto wallets were the main target

The campaign, which ReversingLabs named PromptMink, was aimed at crypto and Web3 developers, using packages that looked useful for Solana, Ethereum and trading-related projects.

malware
Files with crypto-related names are targeted

The real danger lies in how ordinary the package looked, appearing to be a useful crypto tool while quietly searching for wallet keys, passwords, API tokens and other secrets once installed.

For crypto users and developers, that kind of theft can be especially damaging because leaked keys or credentials may allow attackers to not only drain wallets, but also access trading accounts, steal project data and take over parts of a project’s infrastructure.

AI coding tools were tricked

ReversingLabs said the campaign shows attackers are no longer trying only to fool human developers, but are also shaping malicious packages to appeal to AI coding agents that recommend or add software tools during development.

malware
Initial attempt at detection evasion by using base64 encoded URL

In this case, the malicious package was not added directly. A first package appeared harmless and crypto-focused, while a second package carried the stealing function. That two-step approach made the attack harder to spot and allowed attackers to replace the malicious layer when one package was detected or removed.

Researchers said the campaign showed signs of AI-assisted malware development, including comments and code patterns that appeared to come from large language models.

North Korea-linked group blamed

ReversingLabs attributed the campaign to Famous Chollima, a North Korea-linked threat group previously tied to attacks on crypto developers. The firm said it found more than 60 packages and hundreds of published versions connected to the wider campaign over several months.

The operation evolved over time, moving from basic information theft to more aggressive techniques, including attempts to add remote access keys and steal entire project folders. That means the risk was not limited to crypto funds, but also included source code and intellectual property.

What developers can do now

The main lesson is simple: crypto teams cannot rely on package names, polished documentation or AI recommendations alone.

Developers should review new dependencies before adding them, scan open-source packages for malware, avoid installing unknown crypto libraries without checks, and treat AI-generated code changes as suggestions that still need human review. Teams should also protect wallet keys and API tokens, avoid storing secrets in exposed project files, and monitor builds for unexpected package changes.

About The Coin Headlines

The Coin Headlines strives to bring trust into crypto media. At a time when every soundbite and headline can move the markets from red to green and vice-versa, The Coin Headlines promises to bring verified, credible and timely news and analysis from the world of crypto, blockchain, Web3, tech and markets. Founded in 2026, The Coin Headlines is based in the UAE with a team of experienced journalists and editors covering breaking news and updates from around the world.

From covering the biggest events to interviewing some of the most popular KOLs in the industry, The Coin Headlines keeps you informed of the latest trends and insights.

At The Coin Headlines our focus is clear: Real-time news updates, market movements, whale transfers, macroeconomic trends, tech and AI and geopolitical breaking news. The news we report goes through a strict editorial audit before its published to ensure the readers only get verified and credible information. We realize the world of crypto is dynamic, volatile, and many times, confusing. At The Coin Headlines we break down these complex issues into simple articles which cater to not just the experienced trader but also the student and first-time investor who wants to understand the space before committing to it.