RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: cryptocurrency (2 articles)Clear
threat
2026-04-29

North Korean hackers used Claude AI to add malicious npm dependencies to legitimate-looking projects and stole crypto wallet credentials from developers who installed them

North Korea's Famous Chollima group (also called Void Dokkaebi) is using Anthropic's Claude Opus to write malicious npm packages and slip them into developer environments. ReversingLabs found the group had registered a fake Florida LLC, set up a real-looking developer firm, and used Claude to add a package called @validate-sdk/v2 as a dependency to a legitimate-looking utility SDK. When developers installed the parent package, the dependency executed code that stole their cryptocurrency wallet credentials. The campaign progressed from simple JavaScript info-stealers (5KB) to full Node.js executables (85MB) bundling Claude-generated deception code.

dprkfamous-chollimavoid-dokkaebiclaude-opusai-malwarenpmpypicryptocurrencyfake-llcreversinglabs
Check
If your organization handles cryptocurrency, treat every npm or PyPI dependency as untrusted by default - particularly utility SDKs offered by unfamiliar publishers.
Affected
Cryptocurrency companies and developers, especially those whose machines hold wallet credentials, signing keys, or CI/CD access to crypto infrastructure. Web3 startups, blockchain developers, fintech engineers. The targeting is industry-specific, but the technique (AI-generated trojan dependencies inside legitimate-looking SDKs) will be copied by other groups.
Fix
Pin npm and PyPI dependencies to specific commit SHAs and require manual review for any new dependency added to a crypto-handling project. For high-risk developers, use ephemeral build environments that don't carry wallet credentials. Block ipfs-url-validator.vercel[.]app and the @validate-sdk publisher namespace. Treat any 'utility SDK' from an unfamiliar US LLC formed in the past 12 months with extra suspicion.
threat
2026-04-28

North Korean hackers are recording fake Zoom meetings with real crypto executives, then using the footage and AI-generated lookalikes to scam the next target

North Korea's BlueNoroff group has built a self-reinforcing deepfake pipeline that turns each victim into the lure for the next attack. Arctic Wolf documented the pattern: attackers send a Calendly invite that looks like a normal business meeting, then quietly swap the Google Meet link for a typo-squatted Zoom URL. When the target joins, a fake Zoom interface secretly records their webcam feed while a clipboard-injection attack drops malware. The captured footage is mixed with AI-generated lookalikes (built using ChatGPT for synthetic portraits) and recycled into the next attack. Arctic Wolf found 950 files in BlueNoroff's media server. 80% of identified targets are crypto executives.

bluenorofflazarusapt38dprkdeepfakefake-zoomclickfixcryptocurrencyarctic-wolfcalendlysocial-engineering
Check
Brief every executive in your organization that any 'Zoom SDK update' prompt asking them to copy and paste commands into their terminal during a meeting is a North Korean malware drop.
Affected
Cryptocurrency executives, Web3 founders, and CEOs at fintech and blockchain companies - 45% of identified targets are CEOs and founders, 80% are in crypto or adjacent sectors. Anyone whose webcam footage was exfiltrated by BlueNoroff is now appearing as a fake meeting participant targeting their professional network.
Fix
Train executives that any 'SDK update' prompt during a meeting is hostile - real Zoom and Teams never ask users to paste commands into terminals. Verify out-of-band before joining any meeting from an unsolicited Calendly link. Block known BlueNoroff infrastructure (Petrosky Cloud LLC AS400897 and the 80 typosquat domains in Arctic Wolf's IoCs). Consider a dedicated meeting device for high-risk executives.