A North Korean developer gained elevated privileges inside Waves Protocol’s Keeper-Wallet codebase, according to a June 18 report by Ketman.
The report highlighted routine scans for Democratic People’s Republic of Korea (DPRK) activity on GitHub, which uncovered the account “AhegaoXXX” pushing updates to Keeper-Wallet.
The wallet’s repositories showed no legitimate commits after August 2023, yet they received multiple dependency bumps beginning in May 2025.
Repository analytics indicated that the user can open branches, create releases, and publish to the Node Package Manager (NPM) registry, giving the operator complete control over the organization.
The report then linked “AhegaoXXX” to contracting rings of DPRK IT workers, which had previously used freelance channels to infiltrate software projects.
The account’s reach extended beyond simple maintenance. Redirect rules inside the main Waves Protocol namespace now point to identical packages inside the newly active Keeper-Wallet namespace, suggesting an insider moved code from the core organization to the wallet project.
Suspicious code changes
The report also mentioned one commit inside “Keeper-Wallet/Keeper-Wallet-Extension” that adds a function exporting wallet logs and runtime errors to an external database.
The modified routine captures mnemonic phrases and private keys before transmission, raising the likelihood of credential exfiltration. The branch remains unmerged, but its presence indicates an intent to include the code in a production release.
The NPM registry records reflect related activity. Versions of “@waves/provider-keeper,” “@waves/waves-transactions,” and four other packages suddenly advanced after two years of dormancy.
Each publication lists “msmolyakov-waves” as a maintainer. GitHub history shows that the account belonged to former Waves engineer Maxim Smolyakov and exhibited no activity since 2023 until it approved a pull request from “AhegaoXXX” and triggered a new NPM release in under four minutes.
The report assessed that the engineer’s credentials now fall under DPRK control, providing the attacker with a second trusted path to distribute malicious builds.
Supply-chain exposure and countermeasures
The shift from isolated freelancing to direct repository control marks what the report called an “unusual cross-over” between ordinary DPRK contract work and an overt hacking campaign.
Download counts for affected packages remain low, but any Waves user who installs or updates Keeper-Wallet risks importing code that forwards secret phrases to a hostile server.
The publication advised development teams to tighten supply-chain defenses, including audit contributor privileges, removing inactive members from GitHub organizations, tracking who can trigger package releases, and monitoring repository redirects across ecosystems such as npm and Docker.
Lastly, the firm encouraged regular reviews of publisher e-mail domains to detect dormant accounts that could approve rogue updates.
