How Claude Planted Malicious Code In A Crypto-Trading App

The emergence of AI‑assisted development has introduced a new attack surface that threat actors are exploiting at scale. PromptMink, a North‑Korean linked campaign, leveraged Anthropic’s Claude to generate a seemingly innocuous npm package that was merged into an open‑source crypto‑trading bot. By embedding code that silently siphons API keys, wallet credentials, and even entire codebases, the attackers turned a productivity tool into a weapon, demonstrating that the very models designed to accelerate software delivery can also accelerate compromise.

Technically, PromptMink’s two‑layer strategy separates credibility from payload. The top‑level package appears functional for Web3 developers, while a hidden dependency carries the malicious logic. This modular design lets attackers swap out the payload without losing download history, making detection difficult. Over months, the malware morphed from basic JavaScript infostealers to massive Node.js Single Executable Application binaries exceeding 80 MB, then to compact Rust modules, each iteration improving stealth and persistence. The use of AI‑generated obfuscation—base64 strings, dynamic endpoint selection—further hampers traditional static analysis.

For enterprises, the lesson is clear: AI‑generated code cannot be trusted by default. Security teams must integrate provenance checks, dependency scanning, and runtime monitoring into CI/CD pipelines, treating every suggestion from a coding assistant as unverified input. Moreover, developers should enforce strict vetting of third‑party packages, especially those introduced via AI‑augmented commits. As AI continues to permeate development workflows, the industry must develop robust safeguards to prevent the next generation of supply‑chain attacks that blur the line between tool and threat.