tl;dr
A North Korean developer gained elevated privileges in the Waves Protocol’s Keeper-Wallet codebase, pushing updates that included credential-stealing code capturing mnemonic phrases and private keys. The attacker used dormant repositories and compromised former Waves engineer credentials to distribu...
A North Korean developer gained elevated privileges within the Waves Protocol’s Keeper-Wallet codebase, enabling the injection of credential-stealing code into wallet updates. This malicious code was designed to capture users' mnemonic phrases and private keys, posing a serious security threat to Waves users.
The attacker exploited dormant repositories and compromised credentials of a former Waves engineer, distributing malicious builds through package releases on the Node Package Manager (NPM). Notably, these repositories had been inactive since August 2023, yet updates resumed starting May 2025 under suspicious circumstances.
Repository analytics revealed that the attacker’s account could open branches, create releases, and publish directly to NPM, effectively controlling the organization’s codebase. The account “AhegaoXXX” was linked to DPRK IT contracting groups, marking a shift from previous freelance infiltration tactics to direct repository control, which significantly heightens supply-chain risks.
One particular code change added functionality to export wallet logs and runtime errors to an external database, capturing mnemonic phrases and private keys before transmission. Though this code remained unmerged, its presence indicates intent to include harmful features in future production releases.
The compromised NPM packages—such as “@waves/provider-keeper” and “@waves/waves-transactions”—saw sudden activity after a two-year dormancy, with package releases triggered in rapid succession. Maintainer accounts linked to former Waves engineer Maxim Smolyakov had been dormant before approving these malicious updates, suggesting his credentials were hijacked by the attacker.
This case exemplifies a dangerous evolution in DPRK cyber operations, moving from isolated freelance work to direct control of repositories, thereby introducing persistent supply-chain vulnerabilities. The report advises stringent security measures including auditing contributor privileges, removing inactive members, closely monitoring package release triggers, and reviewing publisher email domains to detect compromised accounts.
Waves users updating or installing Keeper-Wallet face risks of unknowingly importing malicious code that exfiltrates sensitive credentials to hostile entities. The incident underscores the critical need for robust supply-chain security practices in blockchain development environments to safeguard user assets and maintain trust.