When Copilots Turn Malicious: Analyzing the `@validate-sdk/v2` npm Package
Has anyone else dug into the @validate-sdk/v2 situation reported today? It’s wild that we’re seeing LLMs like Claude Opus hallucinating (or being poisoned into) suggesting malicious dependencies. This package masquerades as a utility SDK for hashing and validation, but researchers found it's actually a DPRK-linked supply chain trojan.
The package includes a preinstall script that executes obfuscated PowerShell to fetch a Remote Access Trojan (RAT). If your devs are blindly copy-pasting from AI assistants, your build pipeline could be compromised immediately.
I’ve whipped up a quick KQL query to hunt for signs of this specific package installation in our environment:
DeviceProcessEvents
| where ProcessCommandLine has "npm" and ProcessCommandLine has "install"
| where ProcessCommandLine has "@validate-sdk/v2"
| project DeviceName, Timestamp, ProcessCommandLine
We are also recommending blocking the specific hashes associated with the initial drop, but the real fix here is process control. How are you guys handling AI-generated code suggestions? Are we treating AI output as untrusted input yet?
This is exactly why we’ve locked down our build runners. No internet access during the npm install phase unless pulling from our internal, cached proxy. We audit every new package request against a private registry allow-list. It slows down the devs a bit, but it beats dealing with a DPRK RAT in the CI/CD pipeline.
Great query, thanks for sharing. I’d also add checking for suspicious child processes spawned by node.exe or npm.cmd. In the samples I saw, the malware tries to reach out to C2 infrastructure shortly after the install. You can correlate the process creation with network connections:
DeviceNetworkEvents
| where InitiatingProcessFileName has "node"
| where RemoteUrl contains ".onion" or RemotePort in (4444, 8080)
It feels like 2026 is the year of 'Trust No One.' First the Tylerb SMS phishing, and now AI suggesting malware? We implemented a pre-commit hook that runs npm audit and checks the package publisher reputation. If @validate-sdk was a new account with no history, it should have been flagged immediately.
To catch this before CI, I recommend checking for lifecycle scripts locally. Since this specific malware relied on preinstall, blocking them by default is a solid defensive layer. You can quickly scan a package. for these hooks using jq:
cat package. | jq '.scripts | keys | .[] | select(. | test("pre|post"))'
If anything returns, verify it manually before installing. It adds a friction point but prevents accidental execution of payloads like that PowerShell RAT.
Since the entry vector is AI hallucination, we must train developers to verify package existence before trusting an LLM's suggestion. A simple check can reveal if a package is fake or non-existent:
npm view time
If the package was published minutes ago or returns a 404, treat it as hostile. This human-in-the-loop verification is critical when AI tools introduce hallucinated dependencies into your ecosystem.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access