On June 19, Coin World reported, according to Cryptoslate, that a North Korean developer gained elevated access to the Keeper-Wallet code repository of Waves Protocol. The account 'AhegaoXXX' has been pushing updates to the dormant codebase since May 2025, and this account has been confirmed to be linked to a North Korean IT outsourcing organization. Code reviews revealed that one submission added functionality to send wallet logs and runtime errors to an external database, potentially stealing mnemonic phrases and private keys. Although this branch has not been merged, the attacker has released six long-neglected malicious NPM packages by controlling the account of former Waves engineer Maxim Smolyakov.
The security report indicates that this incident shows North Korean hackers have shifted from ordinary outsourcing infiltration to direct control of code repositories. It is recommended that development teams strengthen supply chain protection, including auditing contributor permissions, cleaning up dormant accounts, and monitoring repository redirects. Currently, the download volume of affected software is low, but there is a risk of credential leakage for Waves users updating Keeper-Wallet.