29MAY

UNC1069 expands the npm WAVESHAPER supply chain

3 min read

14:17UTC

Google's Threat Intelligence Group confirmed two additional npm packages distributing the DPRK-linked WAVESHAPER.V2 backdoor beyond Axios: @shadanai/openclaw and @qqbrowser/openclaw-qbot, picked up through automated dependency resolution on 31 March.

← Back to GitHub's own code cloned via VS Code add-on Jump to analysis ↓

TechnologyDeveloping

Key takeaway

DPRK-nexus implants spread through transitive dependency resolution, beyond the single maintainer phishing vector.

Google's Threat Intelligence Group (GTIG) confirmed on Monday 11 May 2026 that two additional npm packages, @shadanai/openclaw and @qqbrowser/openclaw-qbot@0.0.130, were distributing the WAVESHAPER.V2 backdoor alongside the previously reported Axios compromise ¹. Both packages picked up the malicious dependency during automated dependency resolution inside the 31 March 2026 injection window attributable to UNC1069, the North Korea-nexus threat cluster. The @qqbrowser/openclaw-qbot package shipped a compromised Axios@1.14.1 inside its own node_modules directory.

UNC1069's original Axios maintainer phishing, disclosed by GTIG and Mandiant on 5 May 2026 , affected Axios versions with approximately 100 million and 83 million weekly downloads. The new finding shifts the blast-radius model. WAVESHAPER.V2 is now reaching install bases that never directly downloaded a compromised Axios version, only a package that resolved to it transitively. For Node-based services, the dependency tree two or three layers below the production lockfile is the distribution surface, not the package the developer typed at the command line.

The @shadanai and @qqbrowser namespaces suggest pre-seeded dependency traps rather than a second targeted maintainer compromise. That changes the response cost. Maintainer phishing is a single-incident defence with multifactor authentication and out-of-band credential rotation. Pre-seeded traps require lockfile-level review of every transitive resolution, every time a package updates. WAVESHAPER.V2 is a cross-platform backdoor for Windows, macOS, and Linux; once resolved into a build, it carries the same DPRK-nexus implant capability regardless of which top-level dependency triggered the resolution.

Deep Analysis

In plain English

A North Korea-linked hacking group that had already hidden malware inside a popular JavaScript library called Axios added two more smaller packages to its supply-chain attack on 31 March 2026. Developers who installed these packages unknowingly got the same malware, even if they never directly used Axios.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 31 March 2026 UNC1069 Axios maintainer phishing (ID:3127), where WAVESHAPER.V2 was injected into Axios v1.14.1 and v0.30.4, reaching approximately 183 million combined weekly downloads. The @qqbrowser/openclaw-qbot package ships a compressed copy of that same compromised Axios@1.14.1 inside its own dependency tree, meaning the injection window for these downstream packages runs independently of the Axios maintainer's own remediation.

Counter-parallel: The 2022 event-stream npm package attack, where a malicious contributor gained maintainer rights to a popular library and inserted a targeted payload aimed specifically at BitPay wallets. That attack required human social engineering of an active maintainer. UNC1069's pre-seeded trap approach requires no social engineering of the downstream package maintainers; the malicious payload arrives through automated dependency resolution, not a human decision.

Consensus view: GTIG's discovery that @qqbrowser/openclaw-qbot ships a compromised Axios@1.14.1 inside its own node_modules directory reveals that UNC1069 has moved from a single high-profile phishing event, the Axios maintainer compromise, to a repeatable supply-chain seeding approach that bypasses the need for another maintainer compromise entirely.

Counter-view: Socket Security's research team notes that @shadanai/openclaw and @qqbrowser/openclaw-qbot are low-volume packages relative to Axios's 100-million-weekly-download scale; the transitive blast radius from these packages is orders of magnitude smaller than the original Axios compromise , and the discovery suggests GTIG's monitoring has reached the second and third-tier dependency layer, a positive signal about detection maturity rather than an escalation signal.

Key tension: The shift from maintainer phishing to pre-seeded dependency traps changes the defensive response economics. Multifactor authentication and out-of-band credential rotation address maintainer phishing. Pre-seeded traps require continuous lockfile auditing across every transitive dependency, a cost that open-source projects and small development Teams cannot sustain without automated tooling.

Sources:Google Threat Intelligence Group

Mentions:UNC1069 →WAVESHAPER.V2 →Mandiant →Google →North Korea →Axios →@shadanai/openclaw →@qqbrowser/openclaw-qbot →Google Threat Intelligence Group (GTIG) →

First Reported In

Update #4 · AI joins the breach column on both sides

Google Threat Intelligence Group· 20 May 2026

Read original →

Causes and effects

This Event

UNC1069 expands the npm WAVESHAPER supply chain

The Axios compromise was not the blast radius; it was the visible event. Automated dependency resolution is now the distribution layer DPRK actors are aiming at, not the maintainer phishing alone.

Led to

UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing

UNC1069's two additional WAVESHAPER.V2 packages expand the Axios npm supply-chain compromise blast radius beyond the original maintainer phishing vector confirmed in Update #3.

Occurred 5 May 2026

Read story →

Different Perspectives

Google Threat Intelligence Group

GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.

Enterprise security buyers / CISO community

For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.

DSIT / UK Government

DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.

GitHub / Microsoft

GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.