system: OPERATIONAL
← back to all hacks
SUPPLY CHAIN CRITICAL NEW

LLMO abuse: poisoning package docs to fool AI coding agents

ReversingLabs' June 2026 PromptMink report shows a North Korean group writing npm package documentation to read as authoritative to LLM coding agents, so the agent recommends and installs a malicious dependency.

2026-07-03 // 6 min affects: claude-code, gemini-cli, cursor, openai-codex

What is this?

On June 2026, ReversingLabs published research on a supply-chain campaign it named PromptMink, attributed to the North Korean-linked group Famous Chollima. The novelty is not the malware — it is the targeting. Instead of tricking a human developer into installing a bad package, the attackers write package documentation designed to persuade a large language model that the package is the right dependency for the job. ReversingLabs calls the technique LLM Optimization (LLMO) abuse and knowledge injection. The goal, in their words, is “to make the LLM likely to recommend using the malicious package by making the documentation as believable and as appropriate as possible in the project that the specific LLM coding agent is working on.” This is a class-of-attack writeup, not an actionable exploit.

The campaign is not theoretical. ReversingLabs traced malicious payload packages back to September–October 2025, and confirmed the packages reached real agents: a February 28, 2026 commit to an open-source crypto trading agent, openpaw-graveyard, added the bait dependency in a commit co-authored by Claude Opus. A second sighting appeared on a platform where LLM agents post about their work, where a bot described using one of the bait packages because it “had a function it needed.”

How it works

The attack separates the lure from the payload across two package layers, which is what makes it durable.

Layer          Role                         Example (from the report)
-------------  ---------------------------  --------------------------------
1. "Bait"      Clean, legitimate-looking    @solana-launchpad/sdk
               package with polished docs.   (contains no malicious code)
               Lists layer 2 as a
               transitive dependency.
2. "Payload"   Infostealer pulled in         @hash-validator/v2  ->
               automatically at install.     @validate-sdk/v2 (identical code,
               Rotated whenever detected.    new name after each takedown)

Two design choices are the point. First, the documentation is optimized for a machine reader, not a human: convincing README text, TypeScript types, and semantic structure that make an agent resolving dependencies conclude the package fits the current project. Second, the malicious behavior is hidden where LLMs do not look. As detections mounted, the operators moved payloads out of easily parsed JavaScript and into pre-compiled Rust Node.js add-ons (via NAPI-RS), so the code an agent might read stays clean while the binary does the stealing — environment secret exfiltration, SSH key deployment, and data archiving to attacker infrastructure.

Because the clean bait package never has to change, the attackers keep its reputation intact and simply swap in a freshly named payload each time one is caught — the same trick that defeats name-based blocklists.

Why it matters

For years the main behavioral defense against open-source supply-chain attacks was human friction: a developer pausing at an unfamiliar name to check download counts and maintainer history before running npm install. As Socket’s Brad Arkin argued on June 23, 2026, AI agents remove exactly that friction — they resolve a dependency and keep the build moving. The efficiency is the attack surface.

This turns the LLM’s document-comprehension strength into a weapon. It is a supply-chain cousin of tool-description poisoning: the model trusts attacker-authored text and acts on it. It also differs from the two supply-chain patterns we’ve already covered — slopsquatting, which exploits hallucinated names, and model typosquatting, which exploits mistyped ones. LLMO abuse needs neither: the package name is real, the docs are excellent, and the agent chooses it on merit — engineered merit.

Defenses

No patch fixes this, because nothing is technically “broken.” The controls are process and pipeline hygiene, and they line up with the May 1, 2026 CISA/Five Eyes guidance, which warns that “persuasive descriptions [are] chosen more often” by agents.

  1. Treat agent-suggested packages as a distinct, untrusted review category. Any dependency an agent adds autonomously should be reviewed for publisher, version age, and transitive dependencies before it ships — the human review moment the agent skipped.
  2. Enforce registry policy in CI/CD, not just on laptops. Allowlist approved packages and versions so an agent literally cannot install anything off-list, regardless of what the docs say. Registry-level gates and staged-publishing controls apply no matter how a dependency was introduced.
  3. Require human approval for high-impact actions. CISA frames adding a dependency in a sensitive pipeline as exactly this kind of action.
  4. Use behavioral detection, not name-matching. These packages carried no CVE at attack time; SCA tools that only check names against vulnerability databases see nothing. Analyze what a package does — and be aware that --ignore-scripts is only a partial control, bypassable via native extensions.
  5. Give the agent a reputation oracle. ReversingLabs showed a coding agent, once wired to a package-reputation MCP server, correctly advising against installing the bait package. Feed agents ground-truth data instead of trusting the package’s own marketing.
  6. Keep an SBOM. You cannot respond to an agent-introduced dependency you cannot see after the fact.

Status

ItemReferenceDateNotes
First payload package detectedReversingLabs2025-09Two-layer campaign begins
Pivot to Rust/NAPI-RS payloadsReversingLabs2026-03Evades LLM code review
Bait dependency added by an agentopenpaw-graveyard commit2026-02-28Co-authored by Claude Opus
Public research (PromptMink)ReversingLabs2026-06Attribution: Famous Chollima
Multi-government guidanceCISA / Five Eyes2026-05-01Allowlists, human approval, least privilege

The honest framing is not “an LLM was hacked.” It is that an agent’s ability to read and trust documentation is now an attack surface, and the defensive move is to stop letting a package describe itself — verify it out-of-band, gate it in the pipeline, and keep a human on the install of anything the agent found persuasive.

Sources