Plain-Crypto-Js
Malicious npm package injected by UNC1069 into Axios, carrying the WAVESHAPER.V2 backdoor.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for plain-crypto-js
Introduced into Axios versions v1.14.1 and v0.30.4 as the delivery vehicle for WAVESHAPER.V2
Cybersecurity: Threats and Defences: UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing- What is the plain-crypto-js malicious npm package?
- plain-crypto-js is a malicious npm package published by threat actor UNC1069 and injected into Axios versions 1.14.1 and 0.30.4 via a compromised maintainer account. When installed, it deploys the WAVESHAPER.V2 backdoor on the victim's system.Source: event
- How was Axios compromised in 2026?
- UNC1069 phished the Axios npm maintainer's account, then published malicious versions (1.14.1 and 0.30.4) that included plain-crypto-js as a dependency. This package installed the WAVESHAPER.V2 backdoor on any system that installed the affected Axios versions.Source: event
- How do malicious npm packages get into popular libraries?
- Attackers typically compromise a maintainer's npm account (via phishing or credential theft), publish a backdoored version of the package, or create a malicious package with a convincing name. In the Axios attack, UNC1069 phished the maintainer and injected plain-crypto-js as a hidden dependency.
Background
`plain-crypto-js` is a malicious npm package created and published by UNC1069 as part of a supply-chain attack targeting the npm ecosystem. The package was injected as a dependency into the Axios HTTP client library — one of the most widely used JavaScript/Node.js packages globally — by compromising the Axios maintainer's npm account via a phishing campaign . The malicious dependency was present in Axios versions 1.14.1 and 0.30.4. When developers or automated build pipelines installed these Axios versions, `plain-crypto-js` was also installed and executed, deploying the WAVESHAPER.V2 backdoor onto the developer's machine or CI/CD environment.
The package name `plain-crypto-js` was chosen to appear as a plausible cryptographic utility dependency — a common category of npm package — reducing the chance that a developer reviewing a lock-file diff would flag it as suspicious. This typosquatting-adjacent naming is a standard technique in npm supply-chain attacks, alongside dependency confusion and maintainer account compromise.
The incident is part of a persistent pattern of UNC1069 activity targeting software development infrastructure. Developer endpoints and CI/CD systems are high-value targets: compromising them gives threat actors access to source code, secrets stored in environment variables, cloud credentials used for deployment, and — through automated build pipelines — potentially the production artefacts themselves.