North Korean developer hijacks dormant Waves repository and implants code to steal credentials in wallet updates

According to Cryptoslate, a North Korean developer has obtained advanced permissions in Waves Protocol's Keeper Wallet codebase. The account "AhegaoXXX" has been pushing updates to dormant code repositories since May 2025, and it has been confirmed that the account is associated with a North Korean IT outsourcing organization. Code review found that a submission added the ability to send wallet logs and runtime errors to an external database, which may have stolen mnemonics and private keys. Although the branch was not merged, the attacker has released six malicious NPM packages that have not been updated for a long time by controlling the account of former Waves engineer Maxim Smolyakov. The security report points out that this incident shows that North Korean hackers have shifted from ordinary outsourcing infiltration to direct control of code repositories. Suggest the development team to strengthen supply chain protection, including auditing contributor permissions, clearing dormant accounts, and monitoring repository redirection. At present, the download volume of the affected software is relatively low, but there is a risk of credential leakage for Waves users who update Keeper Wallet.