Malicious crypto-theft package targets Web3 developers in North Korean operation

June 12, 2025

A highly targeted supply chain attack orchestrated by a North Korean-linked advanced persistent threat (APT) group has actively targeted Web3 and decentralized finance developers. Discovered by security analysts, the operation mirrors previous state-sponsored crypto-theft campaigns attributed to the "Void Dokkaebi" actor cluster. The attackers successfully deployed a fraudulent npm package named web3-wrapper-ethers into the public registry. When developers building blockchain or cryptocurrency tools integrate this package, the underlying malware automatically scans the host machine's directory tree to locate, extract, and exfiltrate private cryptographic keys, mnemonic phrases, and web wallet session data, enabling the state-sponsored actors to orchestrate massive financial drainage operations.Web3 development organizations must run an immediate audit across all code repositories to ensure that the malicious web3-wrapper-ethers package is completely removed. Any developer workstation that interacted with the package must be isolated from corporate networks, and all private keys, smart contract deployer addresses, and administrative credentials accessed via those machines must be permanently retired and rotated to fresh, hardware-isolated environments.If you need expert assistance in identifying compromised packages, securing your CI/CD pipelines, or conducting an emergency supply chain audit, contact Cyberlinx today to protect your development environment.

Table of Contents
Resource Type
Threat Intel
Category
DevSecOps
Written by
Cyberlinx Research Team
Offensive Security Research Team
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?