North Korean hackers figured out they don't need to break into your systems. They just need to poison the tools your AI uses to build them.
A report from security firm Expel details how a North Korean hacking unit called HexagonalRodent, a subunit of the notorious Lazarus Group, has been running an organized campaign targeting software developers through their AI coding assistants. The operation infected over 2,700 developer systems and exposed crypto wallets holding up to $12 million in Q1 2026 alone.
The attack targets npm, essentially a giant public library of code that developers and AI coding tools borrow from to build software. HexagonalRodent publishes fake packages there, and when a developer or AI agent pulls one in, malware quietly installs alongside it. In one documented case, Claude Opus co-authored a GitHub commit that added a malicious package to a crypto trading project. The AI had no way of knowing the dependency was dangerous. It just did what coding assistants do and grabbed what looked like a useful library.
The campaign has been running for seven months across more than 60 malicious packages and 300 published versions, with no signs of slowing down. Funds from at least 13 stolen wallets were traced to a known North Korean Ethereum address.
There's an even stranger wrinkle. Charlie Eriksen at Aikido Security found that AI coding tools sometimes make up package names that don't actually exist, and attackers have started registering those fake names in advance. One made-up package "spread to 237 repositories" and "generated real download attempts," Eriksen said. It didn't become a live attack only because someone caught it in time. So AI tools are now inventing vulnerabilities that don't exist yet, and attackers are waiting to fill them.
This also isn't a handful of rogue hackers. Expel found that HexagonalRodent is a 31-person operation split across six teams, with a workforce tracking system that logs activity by team and by member. It looks more like a corporate department than a criminal ring. "North Korean operators have long been capable social engineers, but AI is dismantling the constraints that historically limited their precision," said Ari Redbord, global head of policy at TRM Labs, told Dark Reading. Language barriers, months of work building fake profiles, maintaining cover stories: AI handles all of that now.
The response is forming. CISA and Five Eyes intelligence partners released joint guidance last week urging organizations to treat AI agents as systems that "may behave unexpectedly" and plan accordingly. Cursor confirmed it blocked the accounts and IPs used in the attack. OpenAI acknowledged that a small number of accounts tied to the activity had sought assistance from its models on cybersecurity-related topics.
But the fixes so far are reactive. Merritt Baer, CSO at Enkrypt AI and former Deputy CISO at AWS, says the real vulnerability isn't the AI models themselves. It's the space between the model and your actual systems, where agents pull code and execute tasks without much oversight. Jer Crane, founder of PocketOS, put it bluntly: "This is about an entire industry building AI-agent integrations into production infrastructure faster than it's building the safety architecture to protect it."
The AI coding boom created a supply chain that nobody thought to secure. Developers are giving agents the ability to pull packages, run code, and push commits with barely a fraction of the oversight we'd expect from a human employee doing the same thing. North Korea was just the first state actor to exploit that at scale, and we only know about it because Expel happened to catch them. The companies building the most popular coding tools have a narrow window to treat this as the structural problem it is, because the uncomfortable question isn't how this attack happened. It's how many others are happening right now that nobody's found yet.
