On February 28, 2026, a commit landed on an open source Solana trading bot called openpaw-graveyard. The commit added one dependency: @solana-launchpad/sdk . Anthropic's Claude Opus was listed as co-author. The dependency looked clean. The README was polished. The TypeScript types were correct. The package did what it said it did. It also pulled in @validate-sdk/v2 , a North Korean credential stealer that had been sitting on npm since October 2025. ReversingLabs disclosed the campaign on April 29, 2026, under the name PromptMink . They attributed it to Famous Chollima, the DPRK state-sponsored group behind the Contagious Interview operation and years of crypto-targeted supply chain attacks. But PromptMink is not just another supply chain compromise. It is the first documented campaign engineered specifically to deceive AI coding agents rather than human developers. ReversingLabs gave the technique a name: LLM Optimization (LLMO) abuse . Famous Chollima spent seven months on this. 60+ packages. 300+ versions. Four distinct payload architectures. 20+ pieces of C2 infrastructure. And the core insight driving the entire operation is uncomfortable: if your AI coding agent picks dependencies based on documentation quality and semantic fit, you can game that selection process the same way people game Google search results. Except the stakes are SSH keys, API tokens, and crypto wallets. How the two-layer architecture works ​ The reason PromptMink survived multiple npm takedowns is its topology. Famous Chollima split the operation into two independent layers. Layer 1 is a set of polished, legitimate-looking Web3 utility packages. @solana-launchpad/sdk , @meme-sdk/trade , @validate-ethereum-address/core , @solmasterv3/solana-metadata-sdk , @pumpfun-ipfs/sdk , @solana-ipfs/sdk . None of them contain a single line of malicious code. Their package.json files list genuinely popular dependencies like axios and bn.js (combined download counts in the billions) alongside one or two niche packages that are the actual payload. Layer 2 is the disposable stealer. @validate-sdk/v2 , the older @hash-validator/v2 , and several siblings. These are the packages that do the damage. Here is why this architecture matters. On October 7, 2025, npm removed @hash-validator/v2 and three sister packages. Within hours, Famous Chollima republished byte-identical code as @validate-sdk/v2 , starting at version 1.22.11 (the next sequential version after the takedown), and pushed a new release of @solana-launchpad/sdk swapping the dependency pointer. Layer 1 kept every accumulated download count, every reputation signal, every star. Layer 2 was treated as expendable ammunition. When JFrog published partial coverage of the campaign on November 20, 2025, the attackers replaced burned dependencies the same day. No downtime. No loss of operational continuity. The Claude commit and what it actually shows ​ The openpaw-graveyard incident was a real compromise, not a lab demonstration. The repository ExpertVagabond/openpaw-graveyard is an autonomous Solana trading agent built by Purple Squirrel Media for a Solana hackathon. The commit ( cd3c6ccbfe02a0fcf249fdcf67fd3ec351a7ed7c ) added @solana-launchpad/sdk and carried the Co-Authored-By: Claude < [email protected] > trailer that Claude Code automatically inserts on every commit it produces. No prompt injection. No jailbreak. No model exploit. Claude did what it was asked to do. It found a package that matched the task, evaluated it, and added it. The package looked legitimate because Famous Chollima designed it to look legitimate. ReversingLabs put it directly: Famous Chollima's malicious packages have been "more successful in tricking LLM coding agents than humans to use them." There is an earlier indicator that this was already working. In January 2026, an autonomous LLM agent named Zora posted on Moltbook that it had launched a memecoin and pulled in @solana-launchpad/sdk because "it had a function it needed." That is agent-to-agent recommendation propagation. One AI suggesting a malicious package, another AI installing it, no human in the loop at any point. Why AI agents are easier to fool than humans ​ A human developer does things an LLM cannot. We check the npm publisher page. We look at how many other packages the maintainer has. We notice when a package has 12 downloads and was published last week. We check the GitHub repo and see if the commit history looks organic. We get suspicious when documentation quality is disproportionately high relative to community adoption. AI coding agents weigh different signals. They care about documentation quality, semantic fit to the task, TypeScript type coverage, and how well the README describes the exact problem they are trying to solve. Famous Chollima optimized for all of these. Layer 1 READMEs read like polished SDK documentation with realistic Solana use cases (IPFS uploads, metadata management, Jito bundle execution, Pump.fun launches, Polymarket on-cha...