AI Coding Assistants Under Siege: The Rise of Targeted Supply-Chain Attacks
The New Frontier in Software Supply-Chain Attacks
As artificial intelligence coding agents gain traction in software development, attackers are quickly adapting their tactics to exploit these automated tools. Unlike human developers who can be socially engineered, AI agents autonomously scan package registries like NPM and PyPI for components to integrate into projects. This automated behavior opens a new vector for supply-chain attacks, where malicious packages are crafted specifically to lure AI agents into downloading them.
Researchers at ReversingLabs have identified a campaign, dubbed PromptMink, that targets AI coding agents with sophisticated bait packages. The attack is attributed to Famous Chollima, a North Korean advanced persistent threat (APT) group known for targeting cryptocurrency and fintech developers. The campaign illustrates a worrying evolution: attackers now test and refine their malicious packages to ensure they are selected by AI agents, a level of preparation previously reserved for human-targeted social engineering.
How Attackers Exploit AI Coding Agents
AI agents often rely on public package registries to source dependencies, and attackers have developed two primary techniques to compromise these agents:
- Bait Packages: Packages with persuasive descriptions and legitimate functionality that appear useful to the AI agent, but contain hidden malicious code or dependencies.
- Hallucination Targeting: Packages named after dependencies that AI coding agents commonly hallucinate (i.e., invent non-existent packages). By registering these hallucinated names, attackers can trick the agent into downloading a malicious version.
These methods capitalize on the agent's lack of human intuition and its tendency to trust package metadata. The PromptMink campaign combines both techniques, using carefully crafted package descriptions and legitimate functionality to increase the likelihood of being chosen by the AI agent.
PromptMink: A Case Study in AI-Targeted Attacks
The PromptMink campaign began in September 2024 with two malicious packages: @hash-validator/v2 and @solana-launchpad/sdk. The SDK served as a bait package with genuine utility for Solana blockchain development, making it attractive to AI agents working on crypto projects. Meanwhile, @hash-validator/v2, a dependency of the SDK, contained a JavaScript infostealer designed to exfiltrate sensitive data.
This two-layer approach—where a seemingly benign package depends on a malicious one—helps the attack remain undetected longer. The bait package accumulates downloads and history, building credibility that increases its chances of being chosen by AI agents. Over time, the attackers rotated multiple second-layer malicious packages, including aes-create-ipheriv, jito-proper-excutor, jito-sub-aes-ipheriv, and @validate-sdk/v2, all posing as cryptographic tools related to cryptocurrency networks.
The Evolving Campaign
The attackers have diversified their tactics by expanding across multiple package registries and programming languages, including Python and Rust. They also introduced additional bait packages such as @validate-ethereum-address/core to target Ethereum developers. ReversingLabs notes that the group demonstrates a deep understanding of AI agent behavior, testing their lures before deployment—a capability that marks a shift from traditional supply-chain attacks.
This campaign is not an isolated incident. It reflects a broader trend where threat actors leverage LLM optimization abuse and knowledge injection to manipulate the training or selection processes of AI models. By injecting malicious content into package registries, they ensure that AI agents retrieving dependency information will encounter their poisoned packages.
Implications for Software Supply-Chain Security
As the ReversingLabs researchers emphasize, “This campaign presents us with the new frontier in software supply chain security: AI coding agents manipulated into installing and using malicious dependencies in the code they generate.” The underlying problem mirrors traditional social engineering of developers, but with a critical difference: attackers can now automate and scale their social engineering efforts by targeting AI agents directly.
For organizations adopting AI coding assistants, this means:
- Enhanced Package Verification: Implement stricter vetting of packages used by AI agents, including checking package origin, download history, and code signing.
- Behavioral Monitoring: Monitor AI agent activities for unusual package selection patterns or dependencies.
- Registry Hygiene: Use private or curated package mirrors to reduce exposure to malicious registries.
The PromptMink campaign serves as a wake-up call that supply-chain attacks are evolving alongside AI. Developers and security teams must adapt to this new reality, ensuring that the very tools designed to accelerate coding do not become the Achilles' heel of software security.
For more insights on protecting against AI-targeted supply-chain attacks, refer to our introduction and how attackers exploit AI agents.