UNC1069
North Korea-nexus threat actor tracked by Mandiant and GTIG; known for developer-toolchain supply-chain attacks.
Last refreshed: 8 May 2026
If Axios can be poisoned via one phished developer, which npm package is next?
Timeline for UNC1069
phished Axios npm maintainer to plant WAVESHAPER.V2 backdoor
Cybersecurity: Threats and Defences: UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing- What is UNC1069 and who tracks it?
- UNC1069 is a North Korea-nexus threat cluster tracked by Mandiant and Google's Threat Intelligence Group (GTIG). It is one of several NK-affiliated groups conducting developer-toolchain supply-chain attacks, distinguished by its May 2026 compromise of the Axios npm package via maintainer phishing.Source: Mandiant / GTIG
- How did UNC1069 compromise the Axios npm package?
- UNC1069 phished an Axios maintainer on 31 March 2026 and used the compromised account to inject the WAVESHAPER.V2 backdoor into Axios versions v1.14.1 and v0.30.4. The approach targeted the human rather than the codebase, bypassing automated security checks on the package itself.Source: Mandiant / GTIG
- What is the WAVESHAPER backdoor and what does it do?
- WAVESHAPER.V2 is a backdoor implant injected by UNC1069 into the Axios npm library in March 2026. As a supply-chain implant in a package with 100 million+ weekly downloads, it would execute in any Node.js environment that installed the compromised version, enabling remote access or data exfiltration at scale.Source: Mandiant / GTIG
- Why do North Korean hackers target npm and open-source packages?
- North Korea-nexus actors have used npm, PyPI, and OpenVSX poisoning since at least 2022 primarily for revenue generation through Cryptocurrency theft. Developer toolchains provide access to wallets, CI/CD credentials, and private keys. The Axios campaign's scale represents an escalation from niche packages to top-tier dependencies.Source: Bloomberg / Recorded Future / Mandiant
- What did Mandiant say about UNC1069's attribution to North Korea?
- Mandiant and GTIG publicly attributed the Axios compromise to UNC1069 on 5 May 2026, placing it within the cluster of North Korea-nexus groups they track including UNC4736 (a Lazarus subgroup), UNC2970, and UNC3661. Mandiant uses the UNC designation for uncategorised threat clusters pending full attribution.Source: Mandiant / GTIG
Background
On 31 March 2026, UNC1069 phished an npm maintainer for the Axios HTTP library and injected the WAVESHAPER.V2 backdoor into versions v1.14.1 and v0.30.4, packages downloaded more than 100 million and 83 million times weekly respectively. Mandiant and the Google Threat Intelligence Group (GTIG) disclosed the compromise on 5 May 2026, confirming Axios as the highest-download package yet compromised by a North Korea-nexus actor.
UNC1069 is one of several North Korea-nexus clusters tracked by Mandiant and GTIG alongside UNC4736, UNC2970, and UNC3661. North Korean-affiliated actors have conducted developer-toolchain supply-chain attacks since at least 2022, targeting npm, PyPI, and OpenVSX repositories primarily for revenue generation through Cryptocurrency theft. What distinguishes UNC1069's Axios campaign is the tradecraft escalation: rather than pushing malicious packages under new names, the group targeted a legitimate, trusted maintainer via phishing to inject malware into an established dependency, bypassing the scrutiny applied to unfamiliar packages.
The scale of the Axios compromise prompted a US-ROK policy response. The Center for Strategic and International Studies published a paper two days later calling for operational cyber-alliance posture between Washington and Seoul to address North Korea-nexus supply-chain threats. The incident sets a 2026 threshold for npm registry security: if a package with 100 million weekly downloads is not immune to this tradecraft, no widely-used open-source dependency can be assumed SAFE without maintainer-identity verification.
