Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
14JUL

UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing

3 min read
08:46UTC

Google Threat Intelligence Group and Mandiant disclosed on 5 May that North Korea-nexus actor UNC1069 phished an Axios npm package maintainer on 31 March, planting the WAVESHAPER.V2 backdoor in two versions with a combined 183 million weekly downloads.

TechnologyDeveloping
Key takeaway

UNC1069 phished the Axios maintainer rather than the package, bypassing every signature control npm has.

Google Threat Intelligence Group (GTIG) and Mandiant disclosed on 5 May that North Korea-nexus actor UNC1069 phished a maintainer of the axios npm package and introduced a malicious dependency, `plain-crypto-js`, into versions v1.14.1 and v0.30.4.1 The injection window ran from 00:21 to 03:20 UTC on 31 March. The implant is WAVESHAPER.V2, a cross-platform backdoor for Windows, macOS, and Linux. axios versions in question draw approximately 100 million and 83 million weekly downloads respectively at the time of the attack.

UNC1069 chose the maintainer over the library itself. Phishing one human delivered what a direct library compromise could not, because the maintainer's commit already carries the cryptographic signature that npm, package audits, and downstream CI pipelines rely on as a trust anchor. Any project that ran `npm install` during the three-hour window inherited WAVESHAPER.V2 without triggering a signature warning. Every web application that depends on axios somewhere in its dependency tree was a candidate target, and the reach is almost universal across the JavaScript ecosystem.

This is the fourth developer-toolchain compromise in five weeks : TeamPCP hit official SAP npm packages, GlassWorm turned 73 OpenVSX VS Code extensions hostile, and a PyPI package with 1.1 million monthly downloads carried infostealer payloads. axios dwarfs all of them by reach. The tactical shift from compromising packages directly to compromising the humans who maintain them closes the gap that improved package-signing infrastructure was intended to prevent. Any team running automated dependency updates must now treat a trusted committer as a potential adversary alongside the registry itself.

Deep Analysis

In plain English

Axios is a piece of software that almost every website and app built in the last decade uses to communicate over the internet. It is not software you install yourself; it is a building block that software developers include automatically when they build websites. There are roughly 183 million downloads per week across two versions. North Korean hackers tricked one of the people authorised to publish updates to Axios into opening a malicious link. With that person's access, they slipped a backdoor into two versions of Axios during a three-hour window on the night of 31 March. Any organisation that ran a software build during those three hours may have automatically installed the backdoor as part of their normal development process, without any warning. The backdoor works on Windows, Mac, and Linux computers.

Deep Analysis
Root Causes

npm's trust architecture delegates publication rights to individual maintainers without multi-party approval requirements for new dependency additions. A single phished maintainer is sufficient to ship a malicious version because npm does not require a second approver or a cryptographic hardware key for publication.

Axios' npm page lists fewer than a dozen active maintainers against 183 million weekly downloads. A single phished maintainer credential gave UNC1069 leverage over a package used by roughly one in three npm installs, because npm's publication model grants individuals unilateral push rights on packages they maintain. The open-source social engineering attack surface scales inversely with maintainer count: fewer keyholders means each individual credential carries more payload value.

UNC1069 named the malicious package plain-crypto-js to mimic a legitimate cryptography utility. Dependency tree reviewers scanning by name-pattern rather than behavioural analysis would not have flagged it before installation. The naming choice exploited a gap between how most organisations review dependency additions and what a sandbox-based or provenance-based check would have caught.

What could happen next?
  • Risk

    Any developer environment that ran npm install during the three-hour window on 31 March 2026 against Axios v1.14.1 or v0.30.4 may have a WAVESHAPER.V2 backdoor across Windows, macOS, and Linux workstations and CI/CD agents.

    Immediate · 0.85
  • Precedent

    The Axios operation is the fourth developer-toolchain compromise in five weeks, establishing maintainer-phishing at npm scale as a repeatable tactic; npm's single-maintainer publication model now faces direct pressure to add multi-party approval or hardware-key requirements.

    Short term · 0.8
  • Risk

    UNC1069's WAVESHAPER.V2 backdoor provides persistent cross-platform access; North Korean operators have used previous developer-environment footholds to steal source code and cryptocurrency wallet credentials, meaning affected organisations face ongoing exfiltration risk extending beyond the initial install window.

    Medium term · 0.75
First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

Google Threat Intelligence Group / Mandiant· 8 May 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.