Branch 61G — Threat ResearchApril 30, 2026 | Supply Chain Threat Intelligence
Note: This is a practical walkthrough of how supply chain attacks work, why they bypass every traditional detection layer, and why three attacks in one week is not a coincidence.
The Assumption Your Stack Is Built On
Every security tool in your stack operates on the same foundational assumption: the software running in your environment is the software you chose to install.
That assumption is breaking.
Not because your patch management failed. Attackers have realized that compromising the supplier is more efficient, more scalable, and harder to detect than compromising the target directly.
Seven days. Three attacks. All targeting the developer ecosystem. None stopped by patching.
How It Works
Pipeline Compromise
The attacker does not touch the package code. They compromise the mechanism that builds and publishes it.
Bitwarden CLI: attackers compromised a GitHub Action and injected malicious code into @bitwarden/cli@2026.4.0. Valid signature. Legitimate install path. A preinstall hook fired on install and exfiltrated GitHub tokens, SSH keys, cloud secrets, and AI coding tool configs — including Claude, Kiro, Cursor, Codex CLI, and Aider. Window: 96 minutes. Caught by internal detection, not tooling.
Researchers found the string "Shai-Hulud: The Third Coming" embedded in the package — a Dune-themed marker carried across the same malware ecosystem that targeted Checkmarx last year. The malware encrypted stolen data with AES-256-GCM and exfiltrated to audit.checkmarx[.]cx, a domain impersonating Checkmarx. If that failed, it committed the data to victim GitHub repositories as a fallback — meaning stolen credentials were publicly searchable by anyone on GitHub, not just the threat actor. Live GitHub tokens were weaponized to inject fresh malicious Actions workflows into every repo the token could reach, propagating access forward. The package also contained a Russia locale check: execution halts on systems where locale corresponds to Russia. Security researcher Adnan Khan flagged a more structural first: this appears to be the first time a package using NPM Trusted Publishing has been compromised — a security mechanism, turned attack surface.
elementary-data: a malicious PR comment exploited a GitHub Actions script injection flaw in the project's CI workflow. The comment caused the workflow to execute attacker-controlled shell code, exposing GITHUB_TOKEN. From there: forged signed commit, forged signed tag (v0.23.3), legitimate release pipeline triggered. The pipeline published the backdoor to PyPI and pushed the same malicious build to GitHub Container Registry. :latest was compromised. Any system without pinned versions pulled it automatically. The payload landed as elementary.pth — a Python path configuration file that executes automatically at interpreter startup, before any user code runs. Beyond developer credentials, the stealer specifically targeted cryptocurrency wallet files: Bitcoin, Litecoin, Dogecoin, Zcash, Dash, Monero, and Ripple. The compromise was caught not by a scanner but by a community member who opened a GitHub issue.
Pipeline Compromise — What It Looks Like to Every Security Tool
Vulnerability scanner: Clean. Version not yet catalogued as malicious.
EDR: Clean. Legitimate process, legitimate path, legitimate cert.
SIEM: Clean. Package install + brief external connection = low signal.
Network: First-seen C2 destination. Immediate post-install outbound.
No user action preceded the connection. Flagged.Deliberately Built Malicious Packages
The DPRK PromptMink campaign is different. These were not hijacked legitimate packages. Purpose-built fakes, running since September 2025, designed to survive detection.
PromptMink — Layered Package Strategy
Layer 1 (bait, no malicious code):
@solana-launchpad/sdk @meme-sdk/trade @validate-ethereum-address/core
Lists millions-downloaded packages as deps for legitimacy.
Buries Layer 2 malware packages deep in the dependency list.
Layer 2 (malware):
@validate-sdk/v2 crypto wallet stealer, credential exfil
If caught and removed: immediately swapped. Attack continues.They also ran fake job interviews. Fake companies on LinkedIn, GitHub, and X — Veltrix Capital, Blockmerce, Bridgers Finance — complete with GitHub organizations, convincing profiles, and active repo histories dating back to June 2025. Blockmerce went further: the operators registered it as an actual LLC in Florida in August 2025. Developers invited to a "coding test" downloaded a GitHub project. The project pulled a malicious npm package as a dependency. A full RAT deployed: keylogging, screen capture, file access, remote control.
The campaign runs on three simultaneous tracks. Contagious Trader uses a Matryoshka doll structure: a benign wrapper package downloads a malicious dependency, which installs the stealer. No malicious code in the package you install directly. Contagious Interview deploys OtterCookie — a stealer now updated with interactive remote control capabilities via @nut-tree-fork/nut-js for mouse and keyboard access. graphalgo has moved the malicious dependency entirely off npm registries: it is now hosted as a GitHub release artifact, referenced in the resolved field of package-lock.json, buried in transitive dependency resolution. The malicious package does not appear in your direct dependency list.
The payload evolution is also worth tracking. Early versions: obfuscated JavaScript, 5.1KB, exfiltrating to a Vercel-hosted C2. When the threat actors packaged the malware as a Node.js Single Executable Application, the payload jumped to 85MB — too visible. They pivoted to NAPI-RS, compiling the malware in Rust as a native Node.js add-on. Smaller footprint. Cross-platform. The Rust payload now drops persistent SSH backdoors and stages entire project directories for exfiltration. Separately, a BlueNoroff sub-cluster (UNC1069, Lazarus-linked) compromised axios — one of the most downloaded npm packages in existence — and followed up with csec-crypto-utils as an updated payload vehicle targeting AWS keys, GitHub tokens, and .npmrc files.
This Is AI-Powered. Right Now.
AI-powered attacks have been framed as a future concern.
PromptMink closes that conversation.
The malicious packages show signs of being written using generative AI. The campaign was explicitly built to deceive AI coding assistants. When a developer uses Claude, Copilot, or Cursor to build a project, the AI treats the dependency list as ground truth. It does not audit npm for newly published packages with thin histories. PromptMink was designed to pass that check.
How the Attack Exploits AI-Assisted Development
Developer asks Claude: "help me build a Solana trading agent"
Claude accepts dependency on @solana-launchpad/sdk.
Good README. Plausible API. No known CVEs. SCA returns clean.
@validate-sdk/v2 executes. Wallet drained. Credentials gone.
How it was eventually found:
A ReversingLabs researcher manually reviewed the commit history.
Co-author of the compromised commit: Claude Opus.
Detection method: human. Not a tool.The AI did not flag the malicious dependency it accepted. It had no reason to. The package looked legitimate.
Attackers are now writing malware optimized to evade the AI layer sitting between developers and the package registry. That is a new threat model. It is not coming. It is here.
Three Threat Actors. One Ecosystem.
Shai-Hulud / TeamPCP
The Bitwarden compromise is not isolated. The embedded "Shai-Hulud: The Third Coming" marker places it in a known malware lineage with Dune-themed naming conventions, running since at least last year. The threat actor suspected responsible — known as TeamPCP on X, since suspended — shares tooling and infrastructure with the earlier Checkmarx campaign. Exfil repositories created under victim accounts follow the same <word>-<word>-<3 digits> naming format seen before. The shared infrastructure "strongly suggests a connection to the same malware ecosystem, but the operational signatures differ in ways that complicate attribution" — which leaves open the possibility of a splinter group, an evolution in posture, or shared tooling across separate operators. One distinguishing feature: the Russia locale check is new. The earlier campaign lacked it. Something in the operational profile shifted.
Famous Chollima (DPRK)
PromptMink, graphalgo, Contagious Trader, and Contagious Interview are all attributed to Famous Chollima — a North Korean state-sponsored cluster with a years-long track record in the developer ecosystem. The simultaneous operation of multiple campaign branches is deliberate: each track targets a different entry point (package registries, job platforms, AI-assisted development workflows), and each uses a different detection-evasion architecture. When one layer gets burned, it is replaced. The malware continues to run. BlueNoroff, a Lazarus Group sub-cluster, has been separately tied to the axios compromise through infrastructure overlaps and RAT similarity to NukeSped — meaning North Korean operators are now actively probing the most foundational layers of the JavaScript ecosystem, not just the periphery. The combined picture is an adversary running parallel campaigns, hardening payloads in real time, and registering cover companies in U.S. states to maintain operational credibility.
What the Network Sees
Stolen data has to leave the environment. All three attacks put anomalous traffic on the wire.
Network Signals — All Three Attacks
Bitwarden CLI:
First-ever connection to audit.checkmarx[.]cx from this host.
Initiated seconds after npm install. No user action preceded it.
First-seen C2 from trusted process. High-confidence alert.
elementary-data:
Outbound connection immediately after credential files read.
Volume inconsistent with an observability tool. Unknown destination.
Exfil pattern from data pipeline process. Behavioral deviation flagged.
PromptMink:
Exfil to Vercel C2. SSH backdoor beacon. Entire project dirs staged.
Rust payload to first-seen external destination.
Exfil volume + first-seen C2 + SSH beacon. Flagged.A developer machine that runs npm install thousands of times does not immediately open an encrypted outbound connection within seconds of install completing. That sequence is grammatically wrong in the language of normal network behavior. A model trained on that language knows it.
Summary
The endpoint trusts the package.
The AI trusts the dependency list.
The pipeline trusts the token.
The network reads the traffic.
Two nation-states. Multiple campaigns. One shared truth: the supply chain is the attack surface. The wire is still reading.
Branch 61G — DeepTempo Threat ResearchBranch 61G investigates fundamental gaps in modern security architectures and publishes findings to help defenders understand where their stack falls short.
