A North Korean threat group has been engineering npm packages specifically to deceive AI coding agents into pulling malicious dependencies, according to ReversingLabs research reported by Tech Times. The campaign, attributed to Famous Chollima, represents a new class of supply chain attack where the target isn’t a human developer reading documentation. It’s an LLM resolving dependencies.

How PromptMink Works

The campaign, which ReversingLabs traced back to at least September 2025, goes beyond traditional typosquatting. Famous Chollima used a technique ReversingLabs calls “LLM Optimization (LLMO) abuse and knowledge injection”: README files written to appear authoritative to a large language model, not to a human scanning a package registry.

The bait package, @solana-launchpad/sdk, carried a malicious dependency chain containing infostealers capable of credential exfiltration, SSH key deployment for persistent remote access, and data archiving for exfiltration. The attackers rotated through multiple malicious dependencies over time and expanded across npm, PyPI, and Rust, pivoting to compiled Rust payloads via NAPI-RS to reduce detection surface, according to Tech Times.

Confirmation that the campaign reached AI agents came in January 2026. Researchers found a legitimate project built for the Solana Graveyard Hackathon that included @solana-launchpad/sdk as a dependency. The repository’s commit history showed the dependency was added in a commit co-authored by Claude Opus, per ReversingLabs.

“This transforms the technique from social engineering to a combination of LLM Optimization abuse and knowledge injection,” the ReversingLabs team concluded. “The goal is to make the LLM likely to recommend using the malicious package by making the documentation as believable and as appropriate as possible.”

The Structural Gap

The attack exploits a fundamental difference between how humans and AI agents handle dependencies. A human developer might pause to check a package’s download count, verify its maintainer history, or question an unfamiliar name. An agent resolves the dependency and moves on.

Socket’s Brad Arkin described the gap in a June 23 analysis: the agent environment is “the place almost nobody has mapped, and it is growing fastest.” Organizations that believe their supply chain posture is strong because their developers follow careful review practices may be exposed through AI-assisted workflows where no scanner is watching, according to Socket.

The scale of the problem is accelerating. Phoenix Security’s 2026 supply chain report found the first half of 2026 produced more than 2.6 times the campaign volume and 4.5 times the package compromise volume of all of 2025 combined. AI coding agents function as both targets and unwitting delivery mechanisms.

Slopsquatting Compounds the Risk

Beyond deliberately crafted bait packages, a second attack class exploits AI hallucination. USENIX Security 2025 research testing 16 large language models across 576,000 samples found that roughly 19.7% of AI-generated package recommendations referenced packages that don’t exist in registries, according to Tech Times. Attackers can register those hallucinated names and wait for agents to recommend them again.

The Governance Deficit

For teams deploying AI coding agents in production, the PromptMink campaign surfaces a specific architectural gap: there is no standard approval gate between an agent resolving a dependency and that dependency executing in the environment. Developer security training, the primary behavioral defense against supply chain attacks for years, has no mechanism to intervene when the developer isn’t in the loop.

Socket, ReversingLabs, and Phoenix Security all point to the same conclusion: organizations need runtime dependency scanning that operates at agent speed, not human review speed. The alternative is accepting that every AI coding agent is also an unaudited supply chain endpoint.