UNC1069 seven-family macOS malware deployment
Malware Activity
Summary
Hide ▲
Show ▼
A UNC1069 malware activity track now includes the Axios npm supply-chain compromise after Google attributed the attack to the suspected North Korean cluster. Attackers hijacked the maintainer’s npm account to publish trojanized 1.14.1 and 0.30.4 releases that added plain-crypto-js and used a postinstall hook to launch SILKBELL (`setup.js`) for cross-platform delivery to Windows, macOS, and Linux. The backdoor WAVESHAPER.V2 is described as an updated version of WAVESHAPER, previously deployed by UNC1069 in attacks aimed at the cryptocurrency sector.
Related Happenings
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical Analysis
H score23
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
**macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical AnalysisAbout this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
UNK_DeadDrop developer phishing campaign using fake job and code-review lures
Campaign
H score30
First: 08.06.2026 18:00
Last: 08.06.2026 18:00
Sources 1
About this happening:
A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...
UNK_DeadDrop developer phishing campaign using fake job and code-review lures
CampaignAbout this happening: A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...
JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
H score39
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
JINX-0164 cryptocurrency recruitment-lure campaign
CampaignAbout this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score68
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
Lightning PyPI router_runtime.js credential-stealing payload
Malware Activity
H score29
First: 30.04.2026 19:31
Last: 30.04.2026 19:31
Sources 1
About this happening:
The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Lightning PyPI router_runtime.js credential-stealing payload
Malware ActivityAbout this happening: The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Latest development: 04.05.2026 20:15
Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.
Timeline
-
11.02.2026 00:17 3 articles · 4mo ago
UNC1069 crypto-sector malware campaign disclosed
Initial DisclosureNorth Korean hackers linked to UNC1069 targeted a cryptocurrency-sector fintech organization with an AI-generated video and ClickFix social-engineering chain that began on Telegram, moved to a Calendly link and spoofed Zoom meeting page, and led to AppleScript execution, a malicious Mach-O binary, and seven macOS families — WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, SUGARLOADER, and CHROMEPUSH — for backdoor access, credential theft, browser data theft, Telegram data theft, Apple Notes theft, and persistent follow-on payload delivery on macOS and Windows.
Show sources
- North Korean hackers use new macOS malware in crypto-theft attacks — www.bleepingcomputer.com — 11.02.2026 00:17
- North Korea's UNC1069 Hammers Crypto Firms With AI — www.darkreading.com — 11.02.2026 23:56
- Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069 — thehackernews.com — 01.04.2026 10:44