
UNC1069
North Korea-nexus threat actor tracked by Mandiant and GTIG; known for developer-toolchain supply-chain attacks.
Last refreshed: 8 May 2026 · Appears in 1 active topic
If Axios can be poisoned via one phished developer, which npm package is next?
Timeline for UNC1069
Mentioned in: GTIG names the first LLM-written working zero-day
Cybersecurity: Threats and DefencesDistributed WAVESHAPER.V2 in @shadanai/openclaw and @qqbrowser/openclaw-qbot beyond the initial Axios compromise
Cybersecurity: Threats and Defences: UNC1069 expands the npm WAVESHAPER supply chainphished Axios npm maintainer to plant WAVESHAPER.V2 backdoor
Cybersecurity: Threats and Defences: UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishingWhat is UNC1069 and who tracks it?
How did UNC1069 compromise the Axios npm package?
What is the WAVESHAPER backdoor and what does it do?
Background
On 31 March 2026, UNC1069 phished an npm maintainer for the Axios HTTP library and injected the WAVESHAPER.V2 backdoor into versions v1.14.1 and v0.30.4, packages downloaded more than 100 million and 83 million times weekly respectively. Mandiant and the Google Threat Intelligence Group (GTIG) disclosed the compromise on 5 May 2026, confirming Axios as the highest-download package yet compromised by a North Korea-nexus actor.
UNC1069 is one of several North Korea-nexus clusters tracked by Mandiant and GTIG alongside UNC4736, UNC2970, and UNC3661. North Korean-affiliated actors have conducted developer-toolchain supply-chain attacks since at least 2022, targeting npm, PyPI, and OpenVSX repositories primarily for revenue generation through Cryptocurrency theft. What distinguishes UNC1069's Axios campaign is the tradecraft escalation: rather than pushing malicious packages under new names, the group targeted a legitimate, trusted maintainer via phishing to inject malware into an established dependency, bypassing the scrutiny applied to unfamiliar packages.
The scale of the Axios compromise prompted a US-ROK policy response. The Center for Strategic and International Studies published a paper two days later calling for operational cyber-alliance posture between Washington and Seoul to address North Korea-nexus supply-chain threats. The incident sets a 2026 threshold for npm registry security: if a package with 100 million weekly downloads is not immune to this tradecraft, no widely-used open-source dependency can be assumed SAFE without maintainer-identity verification.