Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UNC1069 seven-family macOS malware deployment

Malware Activity
First reported
Last updated
Happening score
H score 33
3 unique sources, 3 articles

Summary

Hide ▲

A UNC1069 malware activity track now includes the Axios npm supply-chain compromise after Google attributed the attack to the suspected North Korean cluster. Attackers hijacked the maintainer’s npm account to publish trojanized 1.14.1 and 0.30.4 releases that added plain-crypto-js and used a postinstall hook to launch SILKBELL (`setup.js`) for cross-platform delivery to Windows, macOS, and Linux. The backdoor WAVESHAPER.V2 is described as an updated version of WAVESHAPER, previously deployed by UNC1069 in attacks aimed at the cryptocurrency sector.

Related Happenings

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

Lightning PyPI router_runtime.js credential-stealing payload

Malware Activity
First: 30.04.2026 19:31 Last: 30.04.2026 19:31 Sources 1

About this happening: The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...

Latest development: 04.05.2026 20:15

Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.

Open Happening

REF6598 Obsidian social-engineering campaign targeting finance and crypto users

Campaign
First: 16.04.2026 14:02 Last: 16.04.2026 14:02 Sources 1

About this happening: The **REF6598** operation is using **LinkedIn**, **Telegram**, and **Obsidian** to deliver **PHANTOMPULSE**, creating a targeted intrusion path into **financial** and **cryptocurr...

Open Happening

WAVESHAPER.V2 trojanized Axios npm packages

Malware Activity
First: 03.04.2026 14:04 Last: 03.04.2026 14:04 Sources 1

About this happening: The **WAVESHAPER.V2** implant was embedded in **trojanized Axios npm package releases**, creating downstream supply-chain risk for **npm users**. The malicious code was published...

Open Happening

Storm infostealer server-side decryption activity

Malware Activity
First: 02.04.2026 17:15 Last: 02.04.2026 17:15 Sources 1

About this happening: The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...

Open Happening

Timeline

  1. 11.02.2026 00:17 3 articles · 3mo ago

    UNC1069 crypto-sector malware campaign disclosed

    Initial Disclosure

    North Korean hackers linked to UNC1069 targeted a cryptocurrency-sector fintech organization with an AI-generated video and ClickFix social-engineering chain that began on Telegram, moved to a Calendly link and spoofed Zoom meeting page, and led to AppleScript execution, a malicious Mach-O binary, and seven macOS families — WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, SUGARLOADER, and CHROMEPUSH — for backdoor access, credential theft, browser data theft, Telegram data theft, Apple Notes theft, and persistent follow-on payload delivery on macOS and Windows.

    Show sources
    Open in new tab