WAVESHAPER.V2
Cross-platform backdoor planted by North Korea's UNC1069 in the Axios npm package in March 2026.
Last refreshed: 8 May 2026 · Appears in 1 active topic
How many organisations deployed WAVESHAPER.V2 before the Axios compromise was disclosed?
Timeline for WAVESHAPER.V2
Planted in Axios v1.14.1 and v0.30.4 as malicious dependency plain-crypto-js
Cybersecurity: Threats and Defences: UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing- Am I affected by the Axios npm backdoor WAVESHAPER.V2?
- Organisations that installed or ran builds using Axios v1.14.1 or v0.30.4 between 00:21 and 03:20 UTC on 31 March 2026 should treat their environments as potentially compromised. Check package lock files for those exact versions and audit for the plain-crypto-js dependency.Source: GTIG / Mandiant
- How did North Korea get into the Axios npm package?
- UNC1069, a North Korea-nexus threat actor, phished an Axios package maintainer to gain publishing credentials, then introduced the malicious plain-crypto-js dependency into two popular Axios versions.Source: GTIG / Mandiant
- What does WAVESHAPER.V2 do once installed?
- WAVESHAPER.V2 is a cross-platform backdoor providing persistent remote access. It targets Windows, macOS, and Linux environments, enabling credential theft and follow-on operations typical of North Korean intelligence collection.Source: GTIG / Mandiant
- How quickly was the Axios npm backdoor discovered?
- The injection occurred on 31 March 2026; Google Threat Intelligence Group and Mandiant disclosed it publicly on 5 May — a 35-day gap. The 2-hour 59-minute injection window itself was narrow, but detection took over a month.Source: GTIG / Mandiant
Background
WAVESHAPER.V2 is a cross-platform backdoor for Windows, macOS, and Linux, deployed by the North Korea-nexus threat actor UNC1069 via a supply-chain attack on the widely-used Axios JavaScript HTTP library. On 31 March 2026, between 00:21 and 03:20 UTC, UNC1069 introduced the malicious dependency `plain-crypto-js` into Axios versions v1.14.1 and v0.30.4 after compromising a package maintainer through a targeted phishing campaign. Axios v1.14.1 and v0.30.4 see roughly 100 million and 83 million weekly downloads respectively.
WAVESHAPER.V2 is the second-generation iteration of a backdoor family attributed to UNC1069, indicating a sustained development programme. The implant is designed to provide persistent remote access, exfiltrate credentials, and enable follow-on operations. Its cross-platform design maximises coverage across the diverse CI/CD and developer environments that consume npm packages.
The attack exploits trust in open-source supply chains: organisations that automatically update npm dependencies or run Axios-consuming builds during the 2-hour 59-minute injection window may have deployed the backdoor without any direct attacker interaction. Google Threat Intelligence Group and Mandiant disclosed the compromise publicly on 5 May 2026, leaving a 35-day gap between injection and public disclosure.