North Korean developers hijack dormant Waves repository, plant credential-stealing code in wallet update

PANews reported on June 19 that according to Cryptoslate, a North Korean developer has obtained advanced permissions in the Keeper-Wallet code base of Waves Protocol. The account "AhegaoXXX" has pushed updates to the dormant code base since May 2025. The account has been confirmed to be associated with North Korea's IT outsourcing organization. Code review found that a commit added the function of sending wallet logs and runtime errors to an external database, which may steal mnemonics and private keys. Although the branch has not been merged, the attacker has released six malicious NPM packages that have not been updated for a long time by controlling the account of former Waves engineer Maxim Smolyakov.

The security report pointed out that this incident shows that North Korean hackers have shifted from ordinary outsourcing infiltration to direct control of code bases. It is recommended that the development team strengthen supply chain protection, including auditing contributor permissions, cleaning dormant accounts, and monitoring repository redirection. Currently, the download volume of the affected software is low, but Waves users who update Keeper-Wallet are at risk of credential leakage.