WAVESHAPER.V2 trojanized Axios npm packages
Malware Activity
Summary
Hide ▲
Show ▼
The WAVESHAPER.V2 implant was embedded in trojanized Axios npm package releases, creating downstream supply-chain risk for npm users. The malicious code was published after attackers used a remote access trojan to steal the maintainer's npm account credentials. The abuse covered Axios 1.14.1 and 0.30.4, widening exposure across direct and transitive dependencies. Because Axios is used at massive scale, the malware delivery could affect a broad JavaScript ecosystem.
Related Happenings
GitHub npm version 12 hardens installs and token management
Security Tool/Service
H score11
First: 09.07.2026 19:49
Last: 09.07.2026 19:49
Sources 1
About this happening:
**GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...
GitHub npm version 12 hardens installs and token management
Security Tool/ServiceAbout this happening: **GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...
Sapphire Sleet Mastra npm supply-chain campaign
Campaign
H score42
First: 20.06.2026 17:09
Last: 20.06.2026 17:09
Sources 1
About this happening:
The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Sapphire Sleet Mastra npm supply-chain campaign
CampaignAbout this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Npm v12 default-blocks install scripts, Git dependencies, and remote URLs
Security Tool/Service
H score11
First: 12.06.2026 16:00
Last: 12.06.2026 16:00
Sources 1
About this happening:
GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...
Npm v12 default-blocks install scripts, Git dependencies, and remote URLs
Security Tool/ServiceAbout this happening: GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...
IronWorm npm supply-chain infection and self-propagation
Malware Activity
H score15
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
IronWorm npm supply-chain infection and self-propagation
Malware ActivityAbout this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
Shai-Hulud worm clone activity on NPM
Malware Activity
H score69
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Timeline
-
03.04.2026 14:04 2 articles · 3mo ago
UNC1069 compromises Axios maintainer
Initial DisclosureNorth Korean threat actors tracked as UNC1069 compromised the Axios npm package maintainer through highly targeted social engineering that used a cloned founder identity, a branded Slack workspace, and a fake Microsoft Teams update prompt. The access led to a remote access trojan, theft of npm account credentials, publication of trojanized Axios 1.14.1 and 0.30.4 releases containing WAVESHAPER.V2, and follow-on hardening steps that included resetting devices and credentials, setting up immutable releases, adopting OIDC flow for publishing, and updating GitHub Actions.
Show sources
- UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack — thehackernews.com — 03.04.2026 14:04
- Axios npm hack used fake Teams error fix to hijack maintainer account — www.bleepingcomputer.com — 04.04.2026 23:30