20MAY

UNC1069 expands the npm WAVESHAPER supply chain

3 min read

09:58UTC

Google's Threat Intelligence Group confirmed two additional npm packages distributing the DPRK-linked WAVESHAPER.V2 backdoor beyond Axios: @shadanai/openclaw and @qqbrowser/openclaw-qbot, picked up through automated dependency resolution on 31 March.

← Back to AI joins the breach column on both sides Jump to analysis ↓

TechnologyDeveloping

Key takeaway

DPRK-nexus implants spread through transitive dependency resolution, beyond the single maintainer phishing vector.

Google's Threat Intelligence Group (GTIG) confirmed on Monday 11 May 2026 that two additional npm packages, @shadanai/openclaw and @qqbrowser/openclaw-qbot@0.0.130, were distributing the WAVESHAPER.V2 backdoor alongside the previously reported Axios compromise ¹. Both packages picked up the malicious dependency during automated dependency resolution inside the 31 March 2026 injection window attributable to UNC1069, the North Korea-nexus threat cluster. The @qqbrowser/openclaw-qbot package shipped a compromised Axios@1.14.1 inside its own node_modules directory.

UNC1069's original Axios maintainer phishing, disclosed by GTIG and Mandiant on 5 May 2026 , affected Axios versions with approximately 100 million and 83 million weekly downloads. The new finding shifts the blast-radius model. WAVESHAPER.V2 is now reaching install bases that never directly downloaded a compromised Axios version, only a package that resolved to it transitively. For node-based services, the dependency tree two or three layers below the production lockfile is the distribution surface, not the package the developer typed at the command line.

The @shadanai and @qqbrowser namespaces suggest pre-seeded dependency traps rather than a second targeted maintainer compromise. That changes the response cost. Maintainer phishing is a single-incident defence with multifactor authentication and out-of-band credential rotation. Pre-seeded traps require lockfile-level review of every transitive resolution, every time a package updates. WAVESHAPER.V2 is a cross-platform backdoor for Windows, macOS, and Linux; once resolved into a build, it carries the same DPRK-nexus implant capability regardless of which top-level dependency triggered the resolution.

Deep Analysis

In plain English

A North Korea-linked hacking group that had already hidden malware inside a popular JavaScript library called Axios added two more smaller packages to its supply-chain attack on 31 March 2026. Developers who installed these packages unknowingly got the same malware, even if they never directly used Axios.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 31 March 2026 UNC1069 Axios maintainer phishing (ID:3127), where WAVESHAPER.V2 was injected into Axios v1.14.1 and v0.30.4, reaching approximately 183 million combined weekly downloads. The @qqbrowser/openclaw-qbot package ships a compressed copy of that same compromised Axios@1.14.1 inside its own dependency tree, meaning the injection window for these downstream packages runs independently of the Axios maintainer's own remediation.

Counter-parallel: The 2022 event-stream npm package attack, where a malicious contributor gained maintainer rights to a popular library and inserted a targeted payload aimed specifically at BitPay wallets. That attack required human social engineering of an active maintainer. UNC1069's pre-seeded trap approach requires no social engineering of the downstream package maintainers; the malicious payload arrives through automated dependency resolution, not a human decision.

Consensus view: GTIG's discovery that @qqbrowser/openclaw-qbot ships a compromised Axios@1.14.1 inside its own node_modules directory reveals that UNC1069 has moved from a single high-profile phishing event, the Axios maintainer compromise, to a repeatable supply-chain seeding approach that bypasses the need for another maintainer compromise entirely.

Counter-view: Socket Security's research team notes that @shadanai/openclaw and @qqbrowser/openclaw-qbot are low-volume packages relative to Axios's 100-million-weekly-download scale; the transitive blast radius from these packages is orders of magnitude smaller than the original Axios compromise , and the discovery suggests GTIG's monitoring has reached the second and third-tier dependency layer, a positive signal about detection maturity rather than an escalation signal.

Key tension: The shift from maintainer phishing to pre-seeded dependency traps changes the defensive response economics. Multifactor authentication and out-of-band credential rotation address maintainer phishing. Pre-seeded traps require continuous lockfile auditing across every transitive dependency, a cost that open-source projects and small development Teams cannot sustain without automated tooling.

Sources:Google Threat Intelligence Group

Mentions:UNC1069 →WAVESHAPER.V2 →Mandiant →Google →North Korea →Axios →@shadanai/openclaw →@qqbrowser/openclaw-qbot →Google Threat Intelligence Group (GTIG) →

First Reported In

Update #4 · AI joins the breach column on both sides

Google Threat Intelligence Group· 20 May 2026

Read original →

Causes and effects

This Event

UNC1069 expands the npm WAVESHAPER supply chain

The Axios compromise was not the blast radius; it was the visible event. Automated dependency resolution is now the distribution layer DPRK actors are aiming at, not the maintainer phishing alone.

Led to

UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing

UNC1069's two additional WAVESHAPER.V2 packages expand the Axios npm supply-chain compromise blast radius beyond the original maintainer phishing vector confirmed in Update #3.

Occurred 5 May 2026

Read story →

Different Perspectives

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Google Threat Intelligence Group

GTIG's 11 May report establishes AI-assisted offence and AI-infrastructure targeting as concurrent named-incident categories, not theoretical ones: UNC6780 attacked LiteLLM and Cisco AI Defense in parallel; state actors used Gemini operationally; CANFAIL and LONGSTREAM used LLM-generated queries to evade static analysis.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.

NCSC

The ICO's South Staffs Water fine applies NCSC PAM and monitoring guidance as the GDPR Article 32 enforcement baseline against a water-sector CNI operator, extending the Capita precedent before the CS&R Bill has reached Royal Assent. NCSC guidance now carries enforceable weight inside the existing statutory framework for CNI sectors processing personal data.

Microsoft Security Response Center

The Exchange Emergency Mitigation Service URL rewrite is the sole available mitigation for CVE-2026-42897; MSRC has not signalled an out-of-band patch timeline. The workaround breaks OWA calendar print, inline images, and Light mode, forcing CISOs to choose between user-experience breakage and active-exploitation exposure.

CISA

CISA's Exchange CVE-2026-42897 deadline of 29 May, set before Microsoft published a patch, repeats the PAN-OS posture from 6 May: exploitation velocity now overrides vendor release timelines. BOD 22-01 compliance against an unpatched flaw leaves federal CISOs with only mitigation documentation and mailbox-rule monitoring.