PromptMink Malware: First Malicious Commit Co-Authored by Anthropic's Claude Opus

The Famous Chollima campaign marks the first instance of a malicious commit co-authored by an AI model, affecting over 1,700 software packages.

PromptMink Malware: First Malicious Commit Co-Authored by Anthropic's Claude Opus
PromptMink Malware: First Malicious Commit Co-Authored by Claude Opus

The malware campaign dubbed PromptMink was identified by ReversingLabs researchers in April 2026. Analysis revealed an unprecedented event: a malicious commit, introduced on February 28, 2026, within an autonomous trading agent, was officially co-authored by Anthropic's Claude Opus. The attack attribution points to the North Korean threat actor Famous Chollima (also known as Shifty Corsair).

Attack Timeline and Vectors

The campaign's infrastructure has an extensive history. The first identified package, '@hash-validator/v2', dates back to September 2025. Subsequently, the npm package '@validate-sdk/v2' was uploaded in October 2025. Later, in February 2026, the malicious package 'scraper-npm' was published on PyPI.

Another key component is the 'express-session-js' malware, which establishes a connection to the IP address 216[.]126[.]237[.]71 using the Socket.IO protocol to communicate with command-and-control servers.

Attribution and Ecosystem Impact

In addition to the primary attribution to Famous Chollima, the security firm Expel has identified the group responsible as 'HexagonalRodent', indicating a high probability that it is a subgroup of the same North Korean threat actor.

The compromise was not limited to software repositories. On March 18, 2026, it emerged that the VSX extension 'fast-draft' had been breached. According to data collected by Socket, the broader 'Contagious Interview' campaign has generated over 1,700 malicious packages since January 2025.

On the defensive front, between February 6 and April 7, 2026, the SEAL team blocked 164 domains associated with the actor UNC1069. These domains were designed to impersonate legitimate services such as Microsoft Teams and Zoom. Collected evidence suggests an overlap between UNC1069 and the groups BlueNoroff, Sapphire Sleet, and Stardust Chollima, all linked to DPRK cyber-operations.

Frequently Asked Questions

How is it possible for Claude Opus to be listed as a co-author of a commit?
Attackers manipulated Git metadata to insert Claude Opus's name as a formal co-author of the malicious commit, marking an emblematic case of trust abuse in automated systems.
Which specific packages should be verified?
Developers should check for the presence of '@hash-validator/v2', '@validate-sdk/v2', 'scraper-npm', 'express-session-js', and the 'fast-draft' extension within their development environments.