Supply-Chain Attacks Take Aim at Your AI Coding Agents

The rapid adoption of AI‑powered coding assistants has introduced a hidden supply‑chain risk that mirrors classic software‑supply attacks but operates at machine speed. Unlike human developers, autonomous agents crawl NPM, PyPI, and other registries without skepticism, selecting packages based on keyword relevance and documentation quality. This creates a fertile ground for threat actors to embed malicious code in seemingly legitimate libraries, turning the agents themselves into unwitting delivery vectors for malware and data exfiltration.

The PromptMink campaign, first observed in September 2025, showcases the sophistication of this new threat class. North Korean APT group Famous Chollima released paired packages—an attractive SDK for Solana developers and a hidden JavaScript infostealer as a transitive dependency. Over time the group refined its tactics, swapping bulky single‑executable applications for compact Rust‑compiled Node.js add‑ons, and even injecting attacker‑controlled SSH keys to gain persistent access. Parallel research on “slopsquatting” demonstrated that LLM hallucinations can be weaponized, with a fabricated npm package spreading to over 200 repositories before being intercepted.

Regulators and security leaders are responding by urging organizations to treat every AI‑suggested dependency as untrusted until verified. Recommendations include maintaining an allow‑listed registry, enforcing human sign‑off for high‑impact installs, and integrating Software Bill of Materials (SBOM) tools to monitor transient components. As AI agents become integral to development pipelines, robust governance and continuous monitoring will be essential to prevent supply‑chain compromises from slipping silently into production code.