Cybersecurity Incident Involving North Korean Programmer
In a significant cybersecurity incident, a North Korean programmer has acquired unauthorized access to the Keeper-Wallet’s source code within the Waves Protocol framework. Using an account named ‘AhegaoXXX’, this individual has been making alterations to a previously inactive codebase dating back to May 2025. Investigations reveal a connection between this account and a North Korean IT outsourcing firm, raising concerns about the potential for malicious intent.
Examination of Code Revisions
A thorough examination of the recent code revisions unveiled that one update contained a functionality designed to transmit wallet logs and runtime errors to an outside database, which could jeopardize sensitive information such as mnemonic phrases and private keys. Although this specific code branch has not yet been integrated into the main codebase, the hacker still succeeded in releasing six outdated and harmful packages on NPM by assuming control over the account of a former engineer, Maxim Smolyakov.
Evolution of Cybercriminal Tactics
This alarming development indicates a strategic evolution in the methods employed by North Korean cybercriminals, transitioning from typical outsourcing hackers to individuals exerting direct control over software projects. To combat such threats, experts suggest that development teams sharpen their supply chain security measures. This includes:
- Regularly reviewing contributor permissions
- Purging inactive accounts
- Closely supervising any redirects in their repositories
Currently, while the overall number of software downloads affected appears limited, users of Waves who update their Keeper-Wallet remain vulnerable to possible exposure of their credentials.
