14JUN

UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing

3 min read

11:51UTC

Google Threat Intelligence Group and Mandiant disclosed on 5 May that North Korea-nexus actor UNC1069 phished an Axios npm package maintainer on 31 March, planting the WAVESHAPER.V2 backdoor in two versions with a combined 183 million weekly downloads.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

UNC1069 phished the Axios maintainer rather than the package, bypassing every signature control npm has.

Google Threat Intelligence Group (GTIG) and Mandiant disclosed on 5 May that North Korea-nexus actor UNC1069 phished a maintainer of the axios npm package and introduced a malicious dependency, `plain-crypto-js`, into versions v1.14.1 and v0.30.4.¹ The injection window ran from 00:21 to 03:20 UTC on 31 March. The implant is WAVESHAPER.V2, a cross-platform backdoor for Windows, macOS, and Linux. axios versions in question draw approximately 100 million and 83 million weekly downloads respectively at the time of the attack.

UNC1069 chose the maintainer over the library itself. Phishing one human delivered what a direct library compromise could not, because the maintainer's commit already carries the cryptographic signature that npm, package audits, and downstream CI pipelines rely on as a trust anchor. Any project that ran `npm install` during the three-hour window inherited WAVESHAPER.V2 without triggering a signature warning. Every web application that depends on axios somewhere in its dependency tree was a candidate target, and the reach is almost universal across the JavaScript ecosystem.

This is the fourth developer-toolchain compromise in five weeks : TeamPCP hit official SAP npm packages, GlassWorm turned 73 OpenVSX VS Code extensions hostile, and a PyPI package with 1.1 million monthly downloads carried infostealer payloads. axios dwarfs all of them by reach. The tactical shift from compromising packages directly to compromising the humans who maintain them closes the gap that improved package-signing infrastructure was intended to prevent. Any team running automated dependency updates must now treat a trusted committer as a potential adversary alongside the registry itself.

Deep Analysis

In plain English

Axios is a piece of software that almost every website and app built in the last decade uses to communicate over the internet. It is not software you install yourself; it is a building block that software developers include automatically when they build websites. There are roughly 183 million downloads per week across two versions. North Korean hackers tricked one of the people authorised to publish updates to Axios into opening a malicious link. With that person's access, they slipped a backdoor into two versions of Axios during a three-hour window on the night of 31 March. Any organisation that ran a software build during those three hours may have automatically installed the backdoor as part of their normal development process, without any warning. The backdoor works on Windows, Mac, and Linux computers.

Deep Analysis

Root Causes

npm's trust architecture delegates publication rights to individual maintainers without multi-party approval requirements for new dependency additions. A single phished maintainer is sufficient to ship a malicious version because npm does not require a second approver or a cryptographic hardware key for publication.

Axios' npm page lists fewer than a dozen active maintainers against 183 million weekly downloads. A single phished maintainer credential gave UNC1069 leverage over a package used by roughly one in three npm installs, because npm's publication model grants individuals unilateral push rights on packages they maintain. The open-source social engineering attack surface scales inversely with maintainer count: fewer keyholders means each individual credential carries more payload value.

UNC1069 named the malicious package plain-crypto-js to mimic a legitimate cryptography utility. Dependency tree reviewers scanning by name-pattern rather than behavioural analysis would not have flagged it before installation. The naming choice exploited a gap between how most organisations review dependency additions and what a sandbox-based or provenance-based check would have caught.

What could happen next?

Risk
Any developer environment that ran npm install during the three-hour window on 31 March 2026 against Axios v1.14.1 or v0.30.4 may have a WAVESHAPER.V2 backdoor across Windows, macOS, and Linux workstations and CI/CD agents.
Immediate · 0.85
Precedent
The Axios operation is the fourth developer-toolchain compromise in five weeks, establishing maintainer-phishing at npm scale as a repeatable tactic; npm's single-maintainer publication model now faces direct pressure to add multi-party approval or hardware-key requirements.
Short term · 0.8
Risk
UNC1069's WAVESHAPER.V2 backdoor provides persistent cross-platform access; North Korean operators have used previous developer-environment footholds to steal source code and cryptocurrency wallet credentials, meaning affected organisations face ongoing exfiltration risk extending beyond the initial install window.
Medium term · 0.75

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2020 event.stream npm compromise saw a malicious actor gain maintainer rights to a dormant package and add a dependency targeting Copay Bitcoin wallets. The event.stream attack affected roughly 8 million weekly downloads and established the maintainer-phishing vector as viable at scale. UNC1069's axios operation takes the same attack class and applies it to a package with 20 times the download reach.

Counter-parallel: The 2021 ua-parser-js supply-chain attack involved a maintainer account taken over via credential stuffing (not phishing) and lasted 3.5 hours before npm reverted it, matching UNC1069's window almost exactly. The ua-parser-js case was resolved with zero attribution and no state involvement confirmed, demonstrating that identical injection windows can reflect either state actors or individual opportunists, which complicates the axios attribution confidence level.

The three-hour injection window (00:21-03:20 UTC) means any CI/CD pipeline running `npm install` between those times on 31 March 2026 installed WAVESHAPER.V2. The universe of affected builds is large: axios v1.14.1 and v0.30.4 together represent approximately 183 million weekly downloads, roughly one in three npm installs. Even if only 0.1% of installations during that three-hour window ran a build, the absolute count of affected build environments reaches into the tens of thousands.

The remediation cost for an organisation that identifies a WAVESHAPER.V2 infection is disproportionate to the initial infection vector: the backdoor runs across Windows, macOS, and Linux, meaning full remediation requires hunting across all three platforms, rotating all credentials accessible to the build environment, and reviewing any code committed or pushed from an infected developer machine.

That scope makes this a significant incident for any affected organisation, not a routine dependency update rollback.

Consensus view: Google Threat Intelligence Group's Charlie Snyder and Chainalysis' 2026 North Korea Crypto Report both document UNC1069 as part of the broader Lazarus Group constellation, running supply-chain operations to generate foreign currency and conduct espionage simultaneously.

The axios operation fits the dual-mission pattern: WAVESHAPER.V2 is a backdoor for access, not an immediate cryptocurrency drainer, suggesting the primary objective was persistent access to developer environments rather than instant financial extraction.

Counter-view: Korea Institute for National Unification researcher Lim Eul-chul argues that treating all North Korean cyber operations as Lazarus extensions understates the degree of operational independence between DPRK cyber units, and that UNC1069's supply-chain tradecraft reflects a separate Reconnaissance General Bureau division that specialises in developer-ecosystem targeting, with different command priorities from the financially-driven Lazarus clusters.

Key tension: Whether the three-hour injection window (00:21-03:20 UTC, 31 March) was deliberately short to limit detection exposure or reflects the time before npm's automated tooling flagged the dependency, which determines whether UNC1069 had an insider who could monitor npm monitoring systems.

Sources:Google Threat Intelligence Group / Mandiant·Google Threat Intelligence Group / Mandiant

Mentions:UNC6780 →Mandiant →Portkey →PyPI →OpenVSX →GlassWorm →SAP →North Korea →plain-crypto-js →VS Code →Axios npm package →WAVESHAPER.V2 →Google →Google Threat Intelligence Group (GTIG) →UNC1069 →

First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

Google Threat Intelligence Group / Mandiant· 8 May 2026

Read original →

Causes and effects

Caused by

CSIS calls for operational US-ROK cyber alliance

CSIS published the US-ROK proactive cyber alliance paper six days after the Axios compromise and two days after GTIG named UNC1069, converting the policy argument into an operational response.

Occurred 7 May 2026

Read story →

UNC1069 expands the npm WAVESHAPER supply chain

UNC1069's two additional WAVESHAPER.V2 packages expand the Axios npm supply-chain compromise blast radius beyond the original maintainer phishing vector confirmed in Update #3.

Occurred 11 May 2026

Read story →

This Event

UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing

Targeting the maintainer rather than the package bypasses every npm signature check, because a trusted human committer shipped the malicious version and no registry control catches that.

Led to

Three supply-chain hits in thirteen days

UNC1069's Axios compromise is the fourth developer-toolchain attack in five weeks, following the TeamPCP/SAP npm, GlassWorm/OpenVSX, and PyPI infostealer events in the supply-chain cluster.

Occurred 29 Apr 2026

Read story →

Attack worm kit now open-sourced freely

UNC1069's WAVESHAPER.V2 plant in the Axios npm library is the same actor arc of targeting widely-used developer toolchain packages; the Shai-Hulud framework and Phantom Gyp extend that technique.

Occurred 3 Jun 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.