Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

WAVESHAPER.V2 trojanized Axios npm packages

Malware Activity
First reported
Last updated
Happening score
H score 22
2 unique sources, 2 articles

Summary

Hide ▲

The WAVESHAPER.V2 implant was embedded in trojanized Axios npm package releases, creating downstream supply-chain risk for npm users. The malicious code was published after attackers used a remote access trojan to steal the maintainer's npm account credentials. The abuse covered Axios 1.14.1 and 0.30.4, widening exposure across direct and transitive dependencies. Because Axios is used at massive scale, the malware delivery could affect a broad JavaScript ecosystem.

Related Happenings

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Inactive maintainer account 'atiertant' hit by network compromise

Incident
First: 15.05.2026 20:10 Last: 15.05.2026 20:10 Sources 1

About this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

Mini Shai-Hulud SAP-related npm supply-chain campaign

Campaign
First: 29.04.2026 19:26 Last: 29.04.2026 19:26 Sources 1

About this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...

Latest development: 12.05.2026 11:50

Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.

Open Happening

RoshniNaveenaS's account hit by network compromise

Incident
First: 29.04.2026 19:26 Last: 29.04.2026 19:26 Sources 1

About this happening: The **RoshniNaveenaS** account was **compromised**, enabling attackers to publish malicious **@cap-js** releases without provenance and putting downstream **npm** consumers at ris...

Open Happening

Timeline

  1. 03.04.2026 14:04 2 articles · 1mo ago

    UNC1069 compromises Axios maintainer

    Initial Disclosure

    North Korean threat actors tracked as UNC1069 compromised the Axios npm package maintainer through highly targeted social engineering that used a cloned founder identity, a branded Slack workspace, and a fake Microsoft Teams update prompt. The access led to a remote access trojan, theft of npm account credentials, publication of trojanized Axios 1.14.1 and 0.30.4 releases containing WAVESHAPER.V2, and follow-on hardening steps that included resetting devices and credentials, setting up immutable releases, adopting OIDC flow for publishing, and updating GitHub Actions.

    Show sources
    Open in new tab