🚨 North Korean Hacker Infiltrates Dormant Waves Repos, Plants Malicious Code in Wallet Updates

North Korean cyber operatives just pulled off a crypto heist without touching a single blockchain—old-school repo hijacking meets next-gen credential theft.

How it went down: Attackers resurrected abandoned Waves GitHub repositories, pushing 'updates' laced with info-stealing payloads. No fancy zero-days needed—just exploit maintainer neglect and user trust.

Why it matters: While traders obsess over price charts, the real vulnerabilities keep lurking in dependency chains. Another reminder that in crypto, your keys might be safe... until your wallet software betrays you.

The cynical take: At least this hacker didn't rugpull investors—just stole their credentials the old-fashioned way. Progress?

Suspicious code changes

The report also mentioned one commit inside “Keeper-Wallet/Keeper-Wallet-Extension” that adds a function exporting wallet logs and runtime errors to an external database. 

The modified routine captures mnemonic phrases and private keys before transmission, raising the likelihood of credential exfiltration. The branch remains unmerged, but its presence indicates an intent to include the code in a production release.

The NPM registry records reflect related activity. Versions of “@waves/provider-keeper,” “@waves/waves-transactions,” and four other packages suddenly advanced after two years of dormancy. 

Each publication lists “msmolyakov-waves” as a maintainer. GitHub history shows that the account belonged to former Waves engineer Maxim Smolyakov and exhibited no activity since 2023 until it approved a pull request from “AhegaoXXX” and triggered a new NPM release in under four minutes. 

The report assessed that the engineer’s credentials now fall under DPRK control, providing the attacker with a second trusted path to distribute malicious builds.

Supply-chain exposure and countermeasures

The shift from isolated freelancing to direct repository control marks what the report called an “unusual cross-over” between ordinary DPRK contract work and an overt hacking campaign.

Download counts for affected packages remain low, but any Waves user who installs or updates Keeper-Wallet risks importing code that forwards secret phrases to a hostile server.

The publication advised development teams to tighten supply-chain defenses, including audit contributor privileges, removing inactive members from GitHub organizations, tracking who can trigger package releases, and monitoring repository redirects across ecosystems such as npm and Docker. 

Lastly, the firm encouraged regular reviews of publisher e-mail domains to detect dormant accounts that could approve rogue updates.