North Korea-nexus threat actor UNC1069 successfully compromised the widely used axios NPM package in a sophisticated supply chain attack. Between March 31 and April 2026, malicious versions 1.14.1 and 0.30.4 were released containing an obfuscated dependency named plain-crypto-js. This dependency functions as a cross-platform dropper, deploying the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux environments to facilitate reconnaissance and remote command execution.
The attack exploited a compromised maintainer account to inject a postinstall hook that silently executes the malware. WAVESHAPER.V2 is an evolved Remote Access Trojan (RAT) that uses JSON-based C2 communication and supports advanced capabilities including in-memory PE injection and deep file system enumeration. Security teams are advised to audit their dependency trees, pin axios to safe versions (1.14.0 or 0.30.3 and earlier), and block known C2 infrastructure associated with the campaign.
Top comments (0)