North Korean APT Unleashes DEV#POPPER RAT via GitHub to Drain Crypto Wallets

The eSentire’s Threat Response Unit (TRU) recently uncovered a sophisticated campaign involving a Remote Access Trojan (RAT) dubbed DEV#POPPER. Detected in February 2026, this malware has been attributed with high confidence to a North Korean state-sponsored APT group.

The group appears to be primarily motivated by financial gain, as the malware “aggressively targets cryptocurrency wallets”. However, their tactics suggest a deeper objective: supply chain compromise. By stealing source code credentials, API keys, and cloud infrastructure access tokens, these actors are positioning themselves to infiltrate much larger networks.

The attack begins on familiar ground for any coder—GitHub. Victims are lured into cloning a repository named “ShoeVista,” which is disguised as a harmless eCommerce platform for shoes.

The trap is sprung the moment a developer launches the frontend application. This action triggers a hidden script buried within tailwind.config.js, a file common in modern web development. To remain undetected, the attackers used a clever trick: “The last line in this file begins with a large amount of whitespace to hide highly obfuscated code”.

Once active, the malware doesn’t just download a payload from a standard server. Instead, it leverages the permanence of blockchain networks.

The attack chain progresses through several high-stakes stages:

• Blockchain Retrieval: DEV#POPPER’s source code is actually “retrieved from blockchain transaction input data, decrypted, and then executed”.
• OmniStealer Deployment: Parallel to the RAT, the script deploys OmniStealer, a Python-based information stealer.
• Cross-Platform Reach: While most victims were found on macOS, the malware is a triple threat, supporting Windows and Linux as well.

The TRU analysis revealed that DEV#POPPER is designed to be a “nightmare” for security researchers. It employs several anti-analysis techniques, including “catastrophic backtracking” which can hang a debugger indefinitely.

The malware also performs a rigorous environmental check. If it detects it is running on a cloud provider like AWS or Azure, a CI/CD runner like GitHub Actions, or even a security tool like Kali Linux, it will terminate execution to avoid being caught in a sandbox.

For those who do fall victim, persistence is achieved by “injecting code into several applications that make use of Node.js,” including Visual Studio Code, Discord, and GitHub Desktop.

The sheer volume of targeted data is staggering. OmniStealer alone targets:

• Browser Data: Passwords, history, and credit cards from Chrome, Edge, and Firefox.
• Crypto Wallets: Over 50 different extensions and desktop apps, including MetaMask, Phantom, and Coinbase Wallet.
• Cloud Storage: Directories for iCloud, OneDrive, Dropbox, and MEGA.
• Developer Tools: Git credentials and VS Code extension storage.

All harvested data is bundled into a password-protected ZIP and exfiltrated to a C2 server—or, as a backup, sent directly to the attackers via Telegram.

To help the community fight back, eSentire has introduced a specialized tool called “DEV#STOPPER.js“. This tool allows researchers to automate the deobfuscation of these complex stagers.

For developers, the message is clear: be extremely cautious when cloning repositories from unknown or unverified sources, even if they look like legitimate projects. Regional environment variables—often used to store sensitive keys—are a primary target for exfiltration in this campaign.