CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Targeted social engineering of Axios maintainer enables UNC1069 npm supply chain compromise via WAVESHAPER.V2 implant

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A maintainer of the widely used Axios npm package was targeted in a highly tailored social engineering campaign attributed to North Korean threat actor UNC1069, resulting in the compromise of npm account credentials and the publication of two trojanized versions of Axios (1.14.1 and 0.30.4) containing the WAVESHAPER.V2 implant. The intrusion began with reconnaissance-driven impersonation of a legitimate company founder, followed by engagement via a cloned Slack workspace and a Microsoft Teams call where a fake system update was presented. Execution of the malicious update deployed a remote access trojan, enabling credential theft and package tampering. The attack highlights the increasing focus of UNC1069 (also tracked as BlueNoroff and associated with GhostCall campaigns) on open-source maintainers as a vector to compromise downstream software ecosystems at scale.

Timeline

  1. 03.04.2026 14:04 1 articles · 4h ago

    UNC1069 compromises Axios npm package via maintainer social engineering, publishes trojanized versions 1.14.1 and 0.30.4 with WAVESHAPER.V2 implant

    Maintainer of the Axios npm package disclosed a targeted social engineering campaign by UNC1069 that culminated in the theft of npm account credentials and the publication of trojanized Axios versions 1.14.1 and 0.30.4 containing the WAVESHAPER.V2 implant. The attack chain involved impersonation of a legitimate company founder using a cloned identity, a convincing fake Slack workspace, a fraudulent Microsoft Teams meeting where a fake system update was presented, and deployment of a remote access trojan to exfiltrate credentials and publish malicious packages. The implant enables persistent access and potential downstream compromise across the JavaScript ecosystem.

    Show sources
    Open in new tab

Information Snippets

  • Threat actor UNC1069 conducted a social engineering campaign specifically targeting the Axios npm package maintainer, Jason Saayman, by impersonating the founder of a legitimate company using a cloned identity and branded Slack workspace.

    First reported: 03.04.2026 14:04
    1 source, 1 article
    Show sources

  • The threat actor hosted a convincing fake Slack workspace with channels mirroring the legitimate company’s CI branding and shared plausible LinkedIn posts to establish credibility before inviting the maintainer to a Microsoft Teams call.

    First reported: 03.04.2026 14:04
    1 source, 1 article
    Show sources

  • During the fake Teams call, the maintainer was presented with a fraudulent system error prompting an update; executing the update deployed a remote access trojan that enabled the attacker to steal npm account credentials.

    First reported: 03.04.2026 14:04
    1 source, 1 article
    Show sources

  • The compromised credentials were used to publish two trojanized versions of the Axios package—versions 1.14.1 and 0.30.4—each containing an implant named WAVESHAPER.V2.

    First reported: 03.04.2026 14:04
    1 source, 1 article
    Show sources

  • The attack chain and tradecraft closely align with previously documented UNC1069 campaigns tracked by Kaspersky as GhostCall and by Huntress, historically targeting crypto founders, VCs, and public figures to facilitate financial fraud.

    First reported: 03.04.2026 14:04
    1 source, 1 article
    Show sources

  • Axios is downloaded nearly 100 million times weekly and is a foundational dependency in the JavaScript ecosystem, amplifying the potential blast radius of a supply chain compromise through direct and transitive dependencies.

    First reported: 03.04.2026 14:04
    1 source, 1 article
    Show sources

  • Post-incident, the maintainer reset all devices and credentials, adopted immutable releases, introduced OIDC-based publishing flows, and updated GitHub Actions workflows to align with best practices to mitigate future risks.

    First reported: 03.04.2026 14:04
    1 source, 1 article
    Show sources