14JUN

UNC1069 expands the npm WAVESHAPER supply chain

3 min read

11:51UTC

Google's Threat Intelligence Group confirmed two additional npm packages distributing the DPRK-linked WAVESHAPER.V2 backdoor beyond Axios: @shadanai/openclaw and @qqbrowser/openclaw-qbot, picked up through automated dependency resolution on 31 March.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

DPRK-nexus implants spread through transitive dependency resolution, beyond the single maintainer phishing vector.

Google's Threat Intelligence Group (GTIG) confirmed on Monday 11 May 2026 that two additional npm packages, @shadanai/openclaw and @qqbrowser/openclaw-qbot@0.0.130, were distributing the WAVESHAPER.V2 backdoor alongside the previously reported Axios compromise ¹. Both packages picked up the malicious dependency during automated dependency resolution inside the 31 March 2026 injection window attributable to UNC1069, the North Korea-nexus threat cluster. The @qqbrowser/openclaw-qbot package shipped a compromised Axios@1.14.1 inside its own node_modules directory.

UNC1069's original Axios maintainer phishing, disclosed by GTIG and Mandiant on 5 May 2026 , affected Axios versions with approximately 100 million and 83 million weekly downloads. The new finding shifts the blast-radius model. WAVESHAPER.V2 is now reaching install bases that never directly downloaded a compromised Axios version, only a package that resolved to it transitively. For node-based services, the dependency tree two or three layers below the production lockfile is the distribution surface, not the package the developer typed at the command line.

The @shadanai and @qqbrowser namespaces suggest pre-seeded dependency traps rather than a second targeted maintainer compromise. That changes the response cost. Maintainer phishing is a single-incident defence with multifactor authentication and out-of-band credential rotation. Pre-seeded traps require lockfile-level review of every transitive resolution, every time a package updates. WAVESHAPER.V2 is a cross-platform backdoor for Windows, macOS, and Linux; once resolved into a build, it carries the same DPRK-nexus implant capability regardless of which top-level dependency triggered the resolution.

Deep Analysis

In plain English

A North Korea-linked hacking group that had already hidden malware inside a popular JavaScript library called Axios added two more smaller packages to its supply-chain attack on 31 March 2026. Developers who installed these packages unknowingly got the same malware, even if they never directly used Axios.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 31 March 2026 UNC1069 Axios maintainer phishing , where WAVESHAPER.V2 was injected into Axios v1.14.1 and v0.30.4, reaching approximately 183 million combined weekly downloads. The @qqbrowser/openclaw-qbot package ships a compressed copy of that same compromised Axios@1.14.1 inside its own dependency tree, meaning the injection window for these downstream packages runs independently of the Axios maintainer's own remediation.

Counter-parallel: The 2022 event-stream npm package attack, where a malicious contributor gained maintainer rights to a popular library and inserted a targeted payload aimed specifically at BitPay wallets. That attack required human social engineering of an active maintainer. UNC1069's pre-seeded trap approach requires no social engineering of the downstream package maintainers; the malicious payload arrives through automated dependency resolution, not a human decision.

Consensus view: GTIG's discovery that @qqbrowser/openclaw-qbot ships a compromised Axios@1.14.1 inside its own node_modules directory reveals that UNC1069 has moved from a single high-profile phishing event, the Axios maintainer compromise, to a repeatable supply-chain seeding approach that bypasses the need for another maintainer compromise entirely.

Counter-view: Socket Security's research team notes that @shadanai/openclaw and @qqbrowser/openclaw-qbot are low-volume packages relative to Axios's 100-million-weekly-download scale; the transitive blast radius from these packages is orders of magnitude smaller than the original Axios compromise , and the discovery suggests GTIG's monitoring has reached the second and third-tier dependency layer, a positive signal about detection maturity rather than an escalation signal.

Key tension: The shift from maintainer phishing to pre-seeded dependency traps changes the defensive response economics. Multifactor authentication and out-of-band credential rotation address maintainer phishing. Pre-seeded traps require continuous lockfile auditing across every transitive dependency, a cost that open-source projects and small development Teams cannot sustain without automated tooling.

Sources:Google Threat Intelligence Group

Mentions:UNC1069 →WAVESHAPER.V2 →Mandiant →Google →North Korea →Axios →@shadanai/openclaw →@qqbrowser/openclaw-qbot →Google Threat Intelligence Group (GTIG) →

First Reported In

Update #4 · AI joins the breach column on both sides

Google Threat Intelligence Group· 20 May 2026

Read original →

Causes and effects

This Event

UNC1069 expands the npm WAVESHAPER supply chain

The Axios compromise was not the blast radius; it was the visible event. Automated dependency resolution is now the distribution layer DPRK actors are aiming at, not the maintainer phishing alone.

Led to

UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing

UNC1069's two additional WAVESHAPER.V2 packages expand the Axios npm supply-chain compromise blast radius beyond the original maintainer phishing vector confirmed in Update #3.

Occurred 5 May 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.